Upgrades packages and adds Molecule CI testing#1
Conversation
Refactored the Molecule job setup in the workflow file to include setting up Python, installing dependencies, creating molecule scenario with Docker configurations, defining playbooks and tests, running molecule tests, and uploading test results.
Added configuration for molecule requirements in the YAML file to include collections like ansible.posix, community.general, and community.crypto.
Updates multiple DEB packages and tools to latest versions including minikube, tabby, k9s, and various Kubernetes utilities Refactors repository management by adding dual-state handling for DEB822 repositories with proper cleanup logic Changes Helm repository source from baltocdn to official buildkite distribution for better reliability Removes outdated package cleanup entries and adds Claude-related files to gitignore Relates to version 1.2.0 release
📝 WalkthroughWalkthroughUpdates CI/lint workflows and local test fixtures; adds a script to detect and optionally rewrite pinned GitHub release URLs; bumps many pinned package/artifact versions and adjusts related Ansible repository and task variables; adds Molecule scenarios and Proxmox helpers for testing. ChangesCI, Linting & Local Fixtures
Package/version management, Ansible role changes & Tests
Sequence Diagram(s) sequenceDiagram
participant User as CLI User
participant Script as check_versions.py
participant GitHub as GitHub API
participant File as roles/pld/vars/shared.yml
User->>Script: run (optionally --update, token)
Script->>File: parse & extract GitHub release URLs
Script->>GitHub: GET /repos/:owner/:repo/releases/latest (with token if provided)
GitHub-->>Script: latest release tag
Script->>Script: compare tags (to_semver)
alt outdated
Script->>User: print OUTDATED and changelog line
opt --update
Script->>File: rewrite URL tag and write file
Script->>User: report rewritten entries
end
else up-to-date/skip
Script->>User: print UP TO DATE / SKIPPED
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Review rate limit: 4/5 reviews remaining, refill in 12 minutes. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (2)
.github/workflows/01_lint_me.yml (2)
65-68: ⚖️ Poor tradeoffConsider pinning dependency versions for reproducible CI builds.
Installing dependencies without version constraints can cause unexpected failures when upstream packages release breaking changes. Consider creating a
requirements-molecule.txtwith pinned versions.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/01_lint_me.yml around lines 65 - 68, The CI step "Install dependencies" currently installs packages without pinned versions; create a requirements-molecule.txt that pins exact versions for ansible-core, molecule, molecule-plugins[docker], docker, yamllint, ansible-lint and pytest-testinfra, commit that file, and update the workflow's "run" block (the Install dependencies step) to install from the requirements file (pip install -r requirements-molecule.txt) so CI uses reproducible, version-pinned dependencies.
28-51: 💤 Low valueRemove commented-out code instead of leaving it in the workflow.
The old
super-lintjob should be deleted rather than commented out. Version control preserves history if you need to restore it later.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/01_lint_me.yml around lines 28 - 51, Remove the entire commented-out "super-lint" job block (the lines containing the commented job name "super-lint", its steps, and env variables like DEFAULT_BRANCH, GITHUB_TOKEN, VALIDATE_ALL_CODEBASE, VALIDATE_JSCPD, VALIDATE_NATURAL_LANGUAGE) rather than leaving it commented in the workflow; delete those lines so only active jobs remain and validate the YAML to ensure the workflow structure stays correct after removal.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/01_lint_me.yml:
- Around line 185-189: The test function test_is_mint22 incorrectly asserts the
codename "vera"; update the assertion in test_is_mint22 that checks
os_release.contains("vera") to use the correct Linux Mint 22 codename "wilma" so
the host.file("/etc/os-release") check matches the mint22 container.
- Around line 200-207: Remove the duplicate heredoc that overwrites
molecule/default/requirements.yml: delete the block that starts with "cat >
molecule/default/requirements.yml << EOF" which writes an empty template, so the
previously defined collections (ansible.posix, community.general,
community.crypto) are preserved for the Molecule dependency step; ensure no
other step recreates a blank requirements.yml.
In `@roles/pld/tasks/install_keys_and_repos.yml`:
- Around line 129-130: The loop uses "loop: \"{{ custom_repositories }}\"" which
is evaluated even when the when guard runs, causing failures if
custom_repositories is undefined; update both occurrences of that loop (the two
tasks using loop: "{{ custom_repositories }}" around lines shown) to use the
default filter—i.e., change the loop expression to loop: "{{ custom_repositories
| default([]) }}" in both tasks so the loop safely runs as an empty list when
the variable is not set.
---
Nitpick comments:
In @.github/workflows/01_lint_me.yml:
- Around line 65-68: The CI step "Install dependencies" currently installs
packages without pinned versions; create a requirements-molecule.txt that pins
exact versions for ansible-core, molecule, molecule-plugins[docker], docker,
yamllint, ansible-lint and pytest-testinfra, commit that file, and update the
workflow's "run" block (the Install dependencies step) to install from the
requirements file (pip install -r requirements-molecule.txt) so CI uses
reproducible, version-pinned dependencies.
- Around line 28-51: Remove the entire commented-out "super-lint" job block (the
lines containing the commented job name "super-lint", its steps, and env
variables like DEFAULT_BRANCH, GITHUB_TOKEN, VALIDATE_ALL_CODEBASE,
VALIDATE_JSCPD, VALIDATE_NATURAL_LANGUAGE) rather than leaving it commented in
the workflow; delete those lines so only active jobs remain and validate the
YAML to ensure the workflow structure stays correct after removal.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: dff3e6c1-78df-4e44-a4d5-00da0b4b8682
📒 Files selected for processing (5)
.github/workflows/01_lint_me.yml.gitignoreCHANGELOG.mdroles/pld/tasks/install_keys_and_repos.ymlroles/pld/vars/shared.yml
| def test_is_mint22(host): | ||
| # Check if it's Linux Mint 22 | ||
| os_release = host.file("/etc/os-release") | ||
| assert os_release.contains("Linux Mint") | ||
| assert os_release.contains("vera") # Mint 22 codename |
There was a problem hiding this comment.
Bug: Incorrect Linux Mint codename in test assertion.
"This is Linux Mint 22, codename Wilma." The test checks for "vera" which is actually the codename for Linux Mint 21.1, not 22. This test will fail on the mint22 container.
🐛 Proposed fix: Use correct codename
def test_is_mint22(host):
# Check if it's Linux Mint 22
os_release = host.file("/etc/os-release")
assert os_release.contains("Linux Mint")
- assert os_release.contains("vera") # Mint 22 codename
+ assert os_release.contains("wilma") # Mint 22 codename📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| def test_is_mint22(host): | |
| # Check if it's Linux Mint 22 | |
| os_release = host.file("/etc/os-release") | |
| assert os_release.contains("Linux Mint") | |
| assert os_release.contains("vera") # Mint 22 codename | |
| def test_is_mint22(host): | |
| # Check if it's Linux Mint 22 | |
| os_release = host.file("/etc/os-release") | |
| assert os_release.contains("Linux Mint") | |
| assert os_release.contains("wilma") # Mint 22 codename |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/01_lint_me.yml around lines 185 - 189, The test function
test_is_mint22 incorrectly asserts the codename "vera"; update the assertion in
test_is_mint22 that checks os_release.contains("vera") to use the correct Linux
Mint 22 codename "wilma" so the host.file("/etc/os-release") check matches the
mint22 container.
| loop: "{{ custom_repositories }}" | ||
| when: custom_repositories is defined and custom_repositories | length > 0 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Verify whether the variable is defined anywhere as a safe default.
rg -n -C2 '\bcustom_repositories\s*:' --type=yaml --type=yml
# Show all usages to confirm loop patterns.
rg -n -C2 '\bcustom_repositories\b' roles/pld/tasks/install_keys_and_repos.ymlRepository: marcinbojko/pld
Length of output: 87
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Check the file exists and read relevant sections
echo "=== Lines 129-135 (First occurrence) ==="
sed -n '129,135p' roles/pld/tasks/install_keys_and_repos.yml
echo -e "\n=== Lines 148-155 (Second occurrence) ==="
sed -n '148,155p' roles/pld/tasks/install_keys_and_repos.yml
echo -e "\n=== Search for custom_repositories definition in YAML files ==="
rg -n 'custom_repositories\s*:' --type yaml
echo -e "\n=== All usages of custom_repositories in the file ==="
rg -n 'custom_repositories' roles/pld/tasks/install_keys_and_repos.ymlRepository: marcinbojko/pld
Length of output: 677
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Check if custom_repositories is set in any defaults or vars files
echo "=== Searching for custom_repositories in defaults/vars/group_vars/host_vars ==="
find roles/pld -type f \( -name "*.yml" -o -name "*.yaml" \) | head -20 | xargs grep -l "custom_repositories" 2>/dev/null || echo "Not found in role defaults/vars"
# Check the entire repo structure for where this might be defined
echo -e "\n=== All files mentioning custom_repositories ==="
rg -l "custom_repositories" --type yaml
# Check if there are any playbook invocations or documentation
echo -e "\n=== Check for README or documentation about this variable ==="
find . -maxdepth 2 \( -name "README*" -o -name "*.md" \) -type f | head -5Repository: marcinbojko/pld
Length of output: 365
Guard custom_repositories loop with default([]) to prevent undefined-variable failures in both custom-repository tasks.
The loop: "{{ custom_repositories }}" expression is evaluated before the when condition, so an undefined variable will cause a failure regardless of the when guard. Since custom_repositories has no default defined anywhere in the role, apply the default([]) filter in both occurrences (lines 129-130 and 151-152).
Proposed fix
- loop: "{{ custom_repositories }}"
+ loop: "{{ custom_repositories | default([]) }}"
when: custom_repositories is defined and custom_repositories | length > 0Apply the same fix at lines 151-152.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| loop: "{{ custom_repositories }}" | |
| when: custom_repositories is defined and custom_repositories | length > 0 | |
| loop: "{{ custom_repositories | default([]) }}" | |
| when: custom_repositories is defined and custom_repositories | length > 0 |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@roles/pld/tasks/install_keys_and_repos.yml` around lines 129 - 130, The loop
uses "loop: \"{{ custom_repositories }}\"" which is evaluated even when the when
guard runs, causing failures if custom_repositories is undefined; update both
occurrences of that loop (the two tasks using loop: "{{ custom_repositories }}"
around lines shown) to use the default filter—i.e., change the loop expression
to loop: "{{ custom_repositories | default([]) }}" in both tasks so the loop
safely runs as an empty list when the variable is not set.
- Fixed palemoon repo URL (stevenpusser path + xUbuntu_24.04) - Disabled invalid helm-stable-debian repo (Helm via HashiCorp) - Fixed gping download filename format - Added version checker script to detect outdated GitHub releases (supports --update flag to rewrite shared.yml) - Simplified CI linter workflow (stripped excess permissions, removed molecule job) - Added act push event fixture and yamllint config under .linters
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/01_lint_me.yml:
- Line 27: DEFAULT_BRANCH is hardcoded to "main" causing mismatches with PRs
targeting "master"; update the workflow to set DEFAULT_BRANCH dynamically by
using the PR/base ref (e.g., github.event.pull_request.base.ref) or the repo
default/ref name so Super-Linter diffs against the actual base branch. Locate
the DEFAULT_BRANCH entry and replace the literal "main" with an expression that
evaluates to the pull request base branch or repo ref (use
github.event.pull_request.base.ref or similar GitHub Actions context) so it
adapts to PRs targeting master or other branches.
- Line 25: Replace the mutable tag reference "super-linter/super-linter@v8.6.0"
with the resolved full-length commit SHA for that action (keep the "v8.6.0" tag
as an inline comment for readability); update the workflow step that uses the
Super-Linter action so it points to the immutable commit SHA instead of the tag,
ensuring the uses: line references the SHA (e.g., uses:
super-linter/super-linter@<full-commit-sha>) while preserving the tag in a
comment near that line.
In `@scripts/check_versions.py`:
- Line 230: Remove the unnecessary f-string prefix on the print statement in
scripts/check_versions.py (the line printing "Review: git diff
roles/pld/vars/shared.yml"): change the print call to use a plain string literal
instead of an f-string so the f-prefix is dropped and Ruff F541 is avoided.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: b3ce6302-9d2d-473b-9b2e-d96c529672ef
📒 Files selected for processing (8)
.github/act/push.json.github/workflows/01_lint_me.yml.gitignore.linters/.yamllintCHANGELOG.mdroles/pld/handlers/main.ymlroles/pld/vars/shared.ymlscripts/check_versions.py
✅ Files skipped from review due to trivial changes (4)
- roles/pld/handlers/main.yml
- .linters/.yamllint
- .github/act/push.json
- CHANGELOG.md
- Pinned super-linter action to a commit SHA for reproducibility - Simplified linter config: removed Ansible validation, hardcoded VALIDATE_ALL_CODEBASE=false, dynamic default branch resolution - Moved yamllint config to standard .github/linters path with .yml extension - Bumped act release from v0.2.83 to v0.2.88 - Fixed unnecessary f-string in version checker script
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@roles/pld/vars/shared.yml`:
- Around line 140-149: The commented Helm apt source was removed but Helm
remains in pld_packages, so add a proper deb822 repository entry replacing the
incorrect "HashiCorp repository" note: create a repo block (same format as
existing apt sources) pointing to
https://packages.buildkite.com/helm-linux/helm-debian/any/ with enabled: true,
types: deb, suites: any, components: main, architectures: amd64 (or match
existing arch config) and signed_by set to the Helm signing key URL (per Helm
docs); update the inline note to reference the Buildkite/Helm official repo and
ensure the new repo entry is present alongside other apt sources in shared.yml
so apt can install the helm package referenced by pld_packages.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3916f8ec-ed21-4c8c-9327-49dfc12fe506
📒 Files selected for processing (4)
.github/linters/.yamllint.yml.github/workflows/01_lint_me.ymlroles/pld/vars/shared.ymlscripts/check_versions.py
✅ Files skipped from review due to trivial changes (1)
- .github/linters/.yamllint.yml
| # Note: Helm is installed via HashiCorp repository (see hashicorp repo below) | ||
| # - name: helm-stable-debian | ||
| # types: deb | ||
| # suites: all | ||
| # components: main | ||
| # uris: | ||
| # - "https://baltocdn.com/helm/stable/debian/" | ||
| # enabled: true | ||
| # architectures: amd64 | ||
| # signed_by: https://baltocdn.com/helm/signing.asc |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the official Debian/Ubuntu apt repository for installing Helm as of 2026, and is https://apt.releases.hashicorp.com` documented as a source for the helm apt package?`
💡 Result:
Official Debian/Ubuntu apt repository for installing Helm (as documented as of 2026): https://packages.buildkite.com/helm-linux/helm-debian/any/ any main (repo stanza: deb [signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main). Is https://apt.releases.hashicorp.com documented as a source for the helm apt package? No. Helm’s own official “From Apt (Debian/Ubuntu)” instructions point to the Helm Debian repository hosted on packages.buildkite.com, not HashiCorp’s apt repository at apt.releases.hashicorp.com. The HashiCorp apt repository at https://apt.releases.hashicorp.com is documented for HashiCorp product packages (e.g., via their official packaging guide), not for the Helm apt package.
Citations:
- 1: https://helm.sh/docs/intro/install
- 2: https://helm.sh/uk/blog/debian-helm-repository-move
- 3: https://www.hashicorp.com/en/official-packaging-guide
- 4: https://helm.sh/docs/install/
Helm repository was removed but not replaced—this will break package installation.
The commented code was pointing to an outdated Helm source. Line 140's note about "HashiCorp repository" is incorrect; the official Helm Debian/Ubuntu apt repository is hosted on Buildkite at https://packages.buildkite.com/helm-linux/helm-debian/any/ per Helm's own documentation. With helm still in pld_packages, the system will fail to install it without an active Helm repository entry.
🔧 Proposed fix (deb822 entry)
- # Note: Helm is installed via HashiCorp repository (see hashicorp repo below)
- # - name: helm-stable-debian
- # types: deb
- # suites: all
- # components: main
- # uris:
- # - "https://baltocdn.com/helm/stable/debian/"
- # enabled: true
- # architectures: amd64
- # signed_by: https://baltocdn.com/helm/signing.asc
+ - name: helm-stable-debian
+ types: deb
+ suites: any
+ components: main
+ uris:
+ - "https://packages.buildkite.com/helm-linux/helm-debian/any/"
+ enabled: true
+ architectures: amd64
+ signed_by: https://packages.buildkite.com/helm-linux/helm-debian/gpgkey🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@roles/pld/vars/shared.yml` around lines 140 - 149, The commented Helm apt
source was removed but Helm remains in pld_packages, so add a proper deb822
repository entry replacing the incorrect "HashiCorp repository" note: create a
repo block (same format as existing apt sources) pointing to
https://packages.buildkite.com/helm-linux/helm-debian/any/ with enabled: true,
types: deb, suites: any, components: main, architectures: amd64 (or match
existing arch config) and signed_by set to the Helm signing key URL (per Helm
docs); update the inline note to reference the Buildkite/Helm official repo and
ensure the new repo entry is present alongside other apt sources in shared.yml
so apt can install the helm package referenced by pld_packages.
- Added GitHub Actions workflow for Ansible syntax checking on push/PR - Added default molecule scenario for local/CI testing - Added Proxmox molecule scenario with snapshot-based create/destroy lifecycle - Added molecule Python dependencies - Added community.proxmox collection requirement - Improved loop label readability in obsolete files task - Extended gitignore to cover .env files
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/02_syntax_check.yml:
- Around line 33-34: The workflow step labeled "Run molecule syntax" currently
runs only "molecule syntax" which validates the default scenario only; update
that step to explicitly validate all scenarios by replacing the command with
either "molecule syntax --all" or run two commands such as "molecule syntax
--scenario-name default" and "molecule syntax --scenario-name proxmox" so both
the default and proxmox scenarios are checked (reference the step name "Run
molecule syntax" and the command "molecule syntax").
In `@molecule/default/molecule.yml`:
- Line 6: Update the Molecule configuration to stop bypassing TLS verification:
change the ignore-certs setting in molecule.yml from true to false so Ansible
Galaxy collection downloads validate certificates; locate the ignore-certs key
in the top-level config block (symbol: ignore-certs) and set it to false, then
run your Molecule test/playbook to confirm collection installs still succeed
with proper TLS validation.
In `@molecule/proxmox/create.yml`:
- Line 13: Update the Proxmox molecule playbooks so TLS certificate verification
is enabled by default: change the validate_certs key from false to a
parameterized value that defaults to true (e.g., validate_certs: "{{
proxmox_validate_certs | default(true) }}") in both create.yml and destroy.yml
so callers can still override by setting proxmox_validate_certs when necessary;
ensure the key name validate_certs is used exactly as shown.
- Line 23: Replace the blanket ignore_errors: true on the snapshot creation task
with targeted failure-handling: remove ignore_errors, add register:
snapshot_result to capture the task result, and add a failed_when that only
suppresses failures when the error indicates the snapshot is missing (e.g.,
failed_when: snapshot_result.failed and "snapshot does not exist" not in
snapshot_result.msg | default("")). This ensures authentication, connectivity,
or API errors still fail the play while only the "snapshot missing" case is
ignored.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 6dfdb975-7758-43c3-9a85-e46faf12d2dd
📒 Files selected for processing (10)
.github/workflows/02_syntax_check.yml.gitignoremolecule/default/converge.ymlmolecule/default/molecule.ymlmolecule/proxmox/create.ymlmolecule/proxmox/destroy.ymlmolecule/proxmox/molecule.ymlmolecule/requirements.txtrequirements.ymlroles/pld/tasks/remove_obsolete.yml
✅ Files skipped from review due to trivial changes (4)
- molecule/requirements.txt
- roles/pld/tasks/remove_obsolete.yml
- requirements.yml
- .gitignore
| - name: Run molecule syntax | ||
| run: molecule syntax |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, find molecule-related files in the repository
fd -t f -i "molecule" | head -20Repository: marcinbojko/pld
Length of output: 119
🏁 Script executed:
# Search for molecule.yml or similar config files
fd -t f "molecule\.y*ml" | head -20Repository: marcinbojko/pld
Length of output: 119
🏁 Script executed:
# Also check for molecule directory structures
fd -t d "molecule" | head -20Repository: marcinbojko/pld
Length of output: 69
🏁 Script executed:
# Read the workflow file to see current state
cat -n .github/workflows/02_syntax_check.ymlRepository: marcinbojko/pld
Length of output: 955
🏁 Script executed:
# Check Molecule documentation about the syntax command and scenario selection
rg "molecule syntax" --type yaml -A 3 -B 3Repository: marcinbojko/pld
Length of output: 41
🏁 Script executed:
# Check the default scenario configuration
head -30 molecule/default/molecule.ymlRepository: marcinbojko/pld
Length of output: 510
🏁 Script executed:
# Check the proxmox scenario configuration
head -30 molecule/proxmox/molecule.ymlRepository: marcinbojko/pld
Length of output: 693
🏁 Script executed:
# Look for any .molecule.yml or setup.cfg that might set defaults
find . -name ".molecule.yml" -o -name "setup.cfg" -o -name "pyproject.toml" | xargs cat 2>/dev/null | head -50Repository: marcinbojko/pld
Length of output: 41
🌐 Web query:
Molecule syntax command scenario behavior default
💡 Result:
Molecule is an Ansible testing framework where scenarios define testing configurations in directories under molecule/, with the default scenario named "default". If no scenario is specified with -s/--scenario-name, Molecule targets the "default" scenario. Scenario syntax in molecule.yml: scenario: name: default # Optional; defaults to directory name if omitted test_sequence: - dependency - cleanup - destroy - syntax - create - prepare - converge - idempotence - side_effect - verify - cleanup - destroy # Similar for create_sequence, converge_sequence, etc. Commands like molecule test execute the defined sequence for the targeted scenario. molecule syntax runs syntax checks. Default behavior starts fresh by destroying existing instances unless overridden (e.g., --destroy=never). Scenarios are independent unless shared_state: true is configured. CLI example: molecule test # Runs default scenario's test_sequence molecule test -s my_scenario # Targets my_scenario molecule converge # Runs converge_sequence on default
Citations:
- 1: https://molecule.readthedocs.io/usage/
- 2: https://docs.ansible.com/projects/molecule/configuration/
- 3: https://oneuptime.com/blog/post/2026-01-30-ansible-molecule-scenarios/view
- 4: https://molecule.readthedocs.io/workflow/
- 5: https://molecule.readthedocs.io/configuration/
🌐 Web query:
molecule syntax all scenarios or single scenario
💡 Result:
In Ansible Molecule, Molecule commands (such as test, syntax, converge, destroy, etc.) can target either a single scenario or all scenarios, using specific command-line syntax. Single scenario: Use the -s or --scenario-name option followed by the scenario name (defaults to 'default' if omitted). Examples: molecule test -s default molecule test -s tls molecule syntax --scenario-name clustered All scenarios: Use the --all flag (primarily documented for test, but applicable to other actions like destroy). Example: molecule test --all This runs the full test sequence across all discovered scenarios sequentially. Each scenario executes independently with its own lifecycle (destroy -> create -> ... -> destroy per test_sequence). Note: --all loops through each scenario, executing the command/sequence for one at a time. For destroy, some commands support destroy --all directly. Scenarios are directories under molecule/ (e.g., molecule/default, molecule/centos), each with its own molecule.yml configuring driver, platforms, sequences, etc. Official docs confirm --scenario-name targets specific/nested scenarios (with / or wildcards), while --all runs everything.
Citations:
- 1: https://molecule.readthedocs.io/usage/
- 2: https://oneuptime.com/blog/post/2026-02-21-how-to-create-a-molecule-scenario/view
- 3: https://docs.ansible.com/projects/molecule/workflow/
- 4: molecule test --all should destroy all scenarios before starting the full matrix ansible/molecule#1076
- 5: https://molecule.readthedocs.io/workflow/
- 6: https://ansible.readthedocs.io/projects/molecule/configuration/?h=
Syntax check should explicitly cover both Molecule scenarios.
molecule syntax without flags targets only the default scenario; the proxmox scenario syntax remains unchecked. Both scenarios must be validated. Use --scenario-name to explicitly run syntax for each scenario, or use --all to run for all discovered scenarios.
Suggested change
- name: Run molecule syntax
run: molecule syntax
+ - name: Run molecule syntax (all scenarios)
+ run: |
+ molecule syntax --scenario-name default
+ molecule syntax --scenario-name proxmoxRef: https://molecule.readthedocs.io/usage/
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Run molecule syntax | |
| run: molecule syntax | |
| - name: Run molecule syntax | |
| run: molecule syntax | |
| - name: Run molecule syntax (all scenarios) | |
| run: | | |
| molecule syntax --scenario-name default | |
| molecule syntax --scenario-name proxmox |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/02_syntax_check.yml around lines 33 - 34, The workflow
step labeled "Run molecule syntax" currently runs only "molecule syntax" which
validates the default scenario only; update that step to explicitly validate all
scenarios by replacing the command with either "molecule syntax --all" or run
two commands such as "molecule syntax --scenario-name default" and "molecule
syntax --scenario-name proxmox" so both the default and proxmox scenarios are
checked (reference the step name "Run molecule syntax" and the command "molecule
syntax").
| name: galaxy | ||
| options: | ||
| requirements-file: requirements.yml | ||
| ignore-certs: true |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Check if the file exists and examine its content
if [ -f "molecule/default/molecule.yml" ]; then
echo "=== File found ==="
wc -l molecule/default/molecule.yml
echo -e "\n=== Full content with line numbers ==="
cat -n molecule/default/molecule.yml
else
echo "File not found"
find . -name "molecule.yml" -type f 2>/dev/null
fiRepository: marcinbojko/pld
Length of output: 791
🏁 Script executed:
# Check repository metadata and docs
ls -la | head -20
echo -e "\n=== Checking for README or docs ==="
find . -maxdepth 2 -name "README*" -o -name "CONTRIBUTING*" | head -5
echo -e "\n=== Checking git status ==="
git log --oneline -5 2>/dev/null || echo "No git history available"
echo -e "\n=== Checking if this is a CI/CD file or test file ==="
find . -name ".github" -o -name ".gitlab-ci.yml" -o -name ".travis.yml" -o -name "tox.ini" 2>/dev/null | head -5Repository: marcinbojko/pld
Length of output: 1381
🏁 Script executed:
# Check README for project context (first 100 lines)
echo "=== README.md (first 100 lines) ==="
head -100 README.md
echo -e "\n=== .gitlab-ci.yml ==="
cat .gitlab-ci.ymlRepository: marcinbojko/pld
Length of output: 6170
🏁 Script executed:
# Check if there's any documentation about why ignore-certs is needed
echo "=== Checking requirements.yml ==="
cat requirements.yml
echo -e "\n=== Checking for any comments or docs about molecule setup ==="
find molecule -type f | head -20
cat molecule/default/molecule.yml
echo -e "\n=== Check git history for ignore-certs introduction ==="
git log --oneline --all -- molecule/default/molecule.yml | head -10
git log -p --follow -- molecule/default/molecule.yml | head -50Repository: marcinbojko/pld
Length of output: 1019
Disable TLS certificate verification bypass in Molecule test configuration.
The ignore-certs: true setting on line 6 disables TLS verification for Ansible Galaxy collection downloads. Official collections from secure sources do not require this override, and it weakens supply-chain security even in test environments. Change to ignore-certs: false.
Suggested change
- ignore-certs: true
+ ignore-certs: falseRef: https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ignore-certs: true | |
| ignore-certs: false |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@molecule/default/molecule.yml` at line 6, Update the Molecule configuration
to stop bypassing TLS verification: change the ignore-certs setting in
molecule.yml from true to false so Ansible Galaxy collection downloads validate
certificates; locate the ignore-certs key in the top-level config block (symbol:
ignore-certs) and set it to false, then run your Molecule test/playbook to
confirm collection installs still succeed with proper TLS validation.
| api_user: "{{ lookup('env', 'PROXMOX_API_USER') }}" | ||
| api_token_id: "{{ lookup('env', 'PROXMOX_TOKEN_ID') }}" | ||
| api_token_secret: "{{ lookup('env', 'PROXMOX_TOKEN_SECRET') }}" | ||
| validate_certs: false |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
fd -type f -name "create.yml" | grep proxmoxRepository: marcinbojko/pld
Length of output: 230
🏁 Script executed:
fd -type f -name "destroy.yml" | grep proxmoxRepository: marcinbojko/pld
Length of output: 230
🏁 Script executed:
git ls-files | grep -E "proxmox.*\.yml"Repository: marcinbojko/pld
Length of output: 146
🏁 Script executed:
cat -n molecule/proxmox/create.ymlRepository: marcinbojko/pld
Length of output: 1341
🏁 Script executed:
cat -n molecule/proxmox/destroy.ymlRepository: marcinbojko/pld
Length of output: 1223
Enable Proxmox API certificate verification by default.
Both molecule/proxmox/create.yml (line 13) and molecule/proxmox/destroy.yml (line 13) have validate_certs: false, which disables TLS trust checks on API calls. This should default to true and be overrideable when needed.
Suggested changes:
molecule/proxmox/create.yml
- validate_certs: false
+ validate_certs: "{{ lookup('env', 'PROXMOX_VALIDATE_CERTS') | default('true') | bool }}"molecule/proxmox/destroy.yml
- validate_certs: false
+ validate_certs: "{{ lookup('env', 'PROXMOX_VALIDATE_CERTS') | default('true') | bool }}"Ref: https://docs.ansible.com/ansible/latest/collections/community/proxmox/proxmox_snap_module.html
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| validate_certs: false | |
| validate_certs: "{{ lookup('env', 'PROXMOX_VALIDATE_CERTS') | default('true') | bool }}" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@molecule/proxmox/create.yml` at line 13, Update the Proxmox molecule
playbooks so TLS certificate verification is enabled by default: change the
validate_certs key from false to a parameterized value that defaults to true
(e.g., validate_certs: "{{ proxmox_validate_certs | default(true) }}") in both
create.yml and destroy.yml so callers can still override by setting
proxmox_validate_certs when necessary; ensure the key name validate_certs is
used exactly as shown.
| snapname: "{{ snapshot_name }}" | ||
| state: absent | ||
| loop: [153, 167] | ||
| ignore_errors: true |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -name "create.yml" -path "*/proxmox/*" | head -20Repository: marcinbojko/pld
Length of output: 89
🏁 Script executed:
cat -n ./molecule/proxmox/create.ymlRepository: marcinbojko/pld
Length of output: 1341
🏁 Script executed:
# Check if there are other similar Ansible patterns in the repo to understand error handling practices
rg "ignore_errors" --type yaml | head -20Repository: marcinbojko/pld
Length of output: 1287
🏁 Script executed:
# Check for failed_when patterns in similar contexts
rg "failed_when" --type yaml -A 1 -B 1 | head -40Repository: marcinbojko/pld
Length of output: 2173
Handle only the "snapshot missing" error case explicitly instead of suppressing all errors.
The ignore_errors: true on line 23 hides authentication failures, connectivity issues, and API errors that could leave the VMs in an invalid state before the snapshot creation task runs. Since the task name indicates the snapshot may not exist, use failed_when to only ignore the snapshot-not-found case:
failed_when: falseor with specific error checking:
register: snapshot_result
failed_when: snapshot_result.failed and "snapshot does not exist" not in snapshot_result.msg | default("")🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@molecule/proxmox/create.yml` at line 23, Replace the blanket ignore_errors:
true on the snapshot creation task with targeted failure-handling: remove
ignore_errors, add register: snapshot_result to capture the task result, and add
a failed_when that only suppresses failures when the error indicates the
snapshot is missing (e.g., failed_when: snapshot_result.failed and "snapshot
does not exist" not in snapshot_result.msg | default("")). This ensures
authentication, connectivity, or API errors still fail the play while only the
"snapshot missing" case is ignored.
1 participant
Replaces the Super-Linter CI workflow with a Molecule-based testing pipeline targeting Linux Mint 22, enabling proper role validation in a Docker environment with systemd support. The new workflow installs dependencies, dynamically generates the Molecule scenario configuration, and uploads test artifacts for debugging.
Also refactors the repository management tasks to explicitly handle state transitions (removing stale entries before adding updated ones), preventing leftover configuration artifacts when repositories change.
Package upgrades (v1.2.0):
ipscan,tabby,minikube,balena-etcher,kube-bench,syft,steampipe,rambox,k9s,sops, andatuinkubeconform,tflint,nerdctl,kustomize,act,eza,polaris,gping,lazydocker,k3s,k3d,hadolint,yq,kubeswitch, andargocdkubentfrom a nightly build to the stable0.7.3releaseOther changes:
google-chrome.list,ngrok)Summary by CodeRabbit
Bug Fixes (v1.2.0)
Chores (v1.2.0)
Documentation