Comprehensive dotfiles review and modernization#36
Merged
Conversation
Ansible: - Fix deprecated hostfile->inventory in ansible.cfg - Fix env var case mismatch (config vs CONFIG) with safe fallback - Fix non-existent Go version (1.25.0->1.23.6) - Split tasks by OS into darwin.yml/debian.yml - Use FQCN for all Ansible modules - Make Go install idempotent with version check and ARM support - Replace ignore_errors with smart failed_when on cask installs - Use list-based name: instead of loop for package installs - Add tags to all tasks for selective runs - Fix test.yml referencing wrong role name (defilan-macos) - Update min_ansible_version 2.1->2.14, add Debian/Ubuntu platforms - Add Jinja2 conditionals in .zshrc.j2 for lightweight config - Add requirements.yml, .ansible-lint config - Replace boilerplate role README with actual documentation - Remove obsolete .travis.yml - Add real ansible-lint CI job alongside shell-lint Shell/ZSH: - Fix hardcoded /usr/local paths for Apple Silicon compatibility - Fix Python 2 SimpleHTTPServer -> python3 http.server - Fix ng-restart (was identical to ng-start) - Fix broken give-credit() shell redirection bug - Fix git-rename/g() missing quotes - Update master->main in aliases and git config - Make NVM/z sourcing safe with existence checks - Remove stale aliases (Chef, iOS Simulator, Chrome) Cleanup: - Remove nginx/ directory (had someone else's paths) - Remove obsolete jscsrc/jshintrc configs and git hooks - Remove plug.vim.old backup - Remove duplicate vim plugins (vim-json, vim-go, vim-mustache-handlebars) - Fix duplicate shebang in link.sh - Expand .gitignore with security-sensitive patterns
- Add YAML lint job for all Ansible YAML files - Add Ansible syntax check (--syntax-check) - Add Ansible dry-run on Ubuntu (check mode, lightweight + developer configs) - Add Ansible dry-run on macOS (check mode, lightweight + developer configs) - Add ZSH syntax validation for all .zsh files - Install collection dependencies before ansible-lint - Dry-run jobs depend on lint + syntax passing first - Update README badge to match renamed workflow CI now covers 7 jobs across macOS and Ubuntu runners, testing both config profiles in check mode.
- Add play names to playbook.yml and tests/test.yml (name[play]) - Add trailing newline to playbook.yml (yaml[new-line-at-end-of-file]) - Add document start marker to meta/main.yml (document-start) - Add version param to git tasks to fix no-changed-when - Skip role-name rule in .ansible-lint (hyphen is intentional) - Remove ansible.cfg from yamllint targets (INI format, not YAML) - Add requirements.yml and tests/ to yamllint targets
- Pin ansible-lint action to full SHA (supply-chain security) - Tighten Go tarball download to mode 0600 (owner-only) - Tighten .zshrc template to mode 0600 (may contain sensitive config) - Directory mode 0755 is intentional (needs execute for traversal)
Guard against unexpanded globs by checking that each match is a regular file and is executable before running it. Fixes #37.
Replace legacy top-level fact variables (ansible_os_family, ansible_architecture) with ansible_facts dictionary syntax to resolve INJECT_FACTS_AS_VARS deprecation. Tighten directory mode from 0755 to 0750 to resolve SonarCloud security hotspot.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #37
Test plan
ansible-playbook defilan-osconfig/playbook.yml -e "config=lightweight" --checklocally on macOSansible-playbook defilan-osconfig/playbook.yml -e "config=developer" --checklocally on macOS.zshrc.j2renders correctly for lightweight config (no thefuck/kubectl lines).zshrc.j2renders correctly for developer config (includes thefuck/kubectl)/opt/homebrew/share/paths)--no-verifywhen no hook scripts exist