From a4cc875c7b00d4d4f3d5680b9d657f6f522666f9 Mon Sep 17 00:00:00 2001 From: Ryan Spletzer Date: Sun, 1 Mar 2026 18:01:07 -0500 Subject: [PATCH 1/2] style: Resolve ansible-lint warnings across all playbooks - yaml[truthy]: Replace `yes` with `true` for all YAML truthy values (gather_facts, become, update_cache, upgrade, etc.) - ignore-errors: Replace `ignore_errors: yes` with `failed_when: false` for more precise error suppression - schema[playbook]: Use fully qualified `ansible.builtin.sudo` for become_method - command-instead-of-shell: Use `command` instead of `shell` for the Homebrew cask install task (no shell features needed) Remove yaml[truthy], ignore-errors, and schema[playbook] from the ansible-lint warn_list since all violations are now resolved. Future violations will fail the build. Co-Authored-By: Claude Opus 4.6 --- .ansible-lint | 3 --- debian/setup.yaml | 30 +++++++++++++++--------------- fedora/setup.yaml | 28 ++++++++++++++-------------- macOS/setup.yaml | 38 ++++++++++++++++++-------------------- ubuntu/setup.yaml | 28 ++++++++++++++-------------- 5 files changed, 61 insertions(+), 66 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 181f95e..c7c6ba1 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -2,10 +2,7 @@ warn_list: - command-instead-of-module - command-instead-of-shell - fqcn[action-core] - - ignore-errors - name[missing] - no-changed-when - - schema[playbook] - yaml[empty-lines] - yaml[line-length] - - yaml[truthy] diff --git a/debian/setup.yaml b/debian/setup.yaml index 41c9219..d474228 100644 --- a/debian/setup.yaml +++ b/debian/setup.yaml @@ -5,7 +5,7 @@ - name: Setup development environment on Debian hosts: localhost connection: local - gather_facts: yes + gather_facts: true # Define the become password at the play level so it's available to all tasks vars: ansible_become_pass: "{{ lookup('env', 'ANSIBLE_SUDO_PASS') }}" @@ -32,7 +32,7 @@ exit 0 fi register: wsl_check - ignore_errors: yes + failed_when: false changed_when: false tags: - system @@ -80,9 +80,9 @@ # apt update - name: Update APT cache ansible.builtin.apt: - update_cache: yes + update_cache: true cache_valid_time: 3600 - become: yes + become: true tags: - apt - update @@ -90,8 +90,8 @@ # apt upgrade - name: Upgrade all packages ansible.builtin.apt: - upgrade: yes - become: yes + upgrade: true + become: true tags: - apt - upgrade @@ -101,7 +101,7 @@ ansible.builtin.apt: name: "{{ apt_packages_prereqs | selectattr('supported_architectures', 'undefined') | map(attribute='name') | list + apt_packages_prereqs | selectattr('supported_architectures', 'defined') | selectattr('supported_architectures', 'contains', deb_architecture) | map(attribute='name') | list }}" state: present - become: yes + become: true tags: - apt - prereqs @@ -121,7 +121,7 @@ loop_control: label: "Adding repository: {{ item.name }}" when: item.supported_architectures is not defined or deb_architecture in item.supported_architectures - become: yes + become: true tags: - apt - repositories @@ -131,7 +131,7 @@ ansible.builtin.apt: name: "{{ apt_packages | selectattr('supported_architectures', 'undefined') | map(attribute='name') | list + apt_packages | selectattr('supported_architectures', 'defined') | selectattr('supported_architectures', 'contains', deb_architecture) | map(attribute='name') | list }}" state: present - become: yes + become: true tags: - apt - packages @@ -141,7 +141,7 @@ ansible.builtin.apt: name: flatpak state: present - become: yes + become: true when: (flatpak_packages | default([], true)) | length > 0 tags: - flatpak @@ -152,7 +152,7 @@ name: flathub flatpakrepo_url: https://dl.flathub.org/repo/flathub.flatpakrepo state: present - become: yes + become: true when: (flatpak_packages | default([], true)) | length > 0 tags: - flatpak @@ -163,7 +163,7 @@ name: "{{ item.name }}" state: present remote: flathub - become: yes + become: true loop: "{{ flatpak_packages | default([], true) }}" when: item.supported_architectures is not defined or deb_architecture in item.supported_architectures register: flatpak_install_result @@ -326,7 +326,7 @@ cmd: uv tool install {{ item }} when: uv_check.rc == 0 loop: "{{ uv_tools | default([], true) }}" - ignore_errors: yes + failed_when: false register: uv_tool_install_result changed_when: "'already installed' not in uv_tool_install_result.stderr" loop_control: @@ -447,7 +447,7 @@ cmd: cursor --install-extension {{ item }} environment: PATH: "{{ appimage_install_dir }}:{{ ansible_env.PATH }}" - ignore_errors: yes + failed_when: false loop: "{{ vscode_extensions | default([], true) }}" register: cursor_ext_result changed_when: "'already installed' not in cursor_ext_result.stdout" @@ -505,7 +505,7 @@ # Custom elevated commands - name: Execute custom elevated commands ansible.builtin.shell: "{{ item.command }}" - become: yes + become: true loop: "{{ custom_commands_elevated | default([], true) }}" loop_control: label: "Executing: {{ item.description }}" diff --git a/fedora/setup.yaml b/fedora/setup.yaml index fa20ee5..31aa8c4 100644 --- a/fedora/setup.yaml +++ b/fedora/setup.yaml @@ -5,7 +5,7 @@ - name: Setup development environment on Fedora hosts: localhost connection: local - gather_facts: yes + gather_facts: true # Define the become password at the play level so it's available to all tasks vars: ansible_become_pass: "{{ lookup('env', 'ANSIBLE_SUDO_PASS') }}" @@ -32,7 +32,7 @@ exit 0 fi register: wsl_check - ignore_errors: yes + failed_when: false changed_when: false tags: - system @@ -70,8 +70,8 @@ # dnf makecache - name: Update DNF cache ansible.builtin.dnf: - update_cache: yes - become: yes + update_cache: true + become: true tags: - dnf - update @@ -81,7 +81,7 @@ ansible.builtin.dnf: name: '*' state: latest - become: yes + become: true tags: - dnf - upgrade @@ -91,7 +91,7 @@ ansible.builtin.dnf: name: "{{ dnf_packages_prereqs | selectattr('supported_architectures', 'undefined') | map(attribute='name') | list + dnf_packages_prereqs | selectattr('supported_architectures', 'defined') | selectattr('supported_architectures', 'contains', rpm_architecture) | map(attribute='name') | list }}" state: present - become: yes + become: true tags: - dnf - prereqs @@ -111,7 +111,7 @@ loop_control: label: "Adding repository: {{ item.name }}" when: item.supported_architectures is not defined or rpm_architecture in item.supported_architectures - become: yes + become: true tags: - dnf - repositories @@ -121,7 +121,7 @@ ansible.builtin.dnf: name: "{{ dnf_packages | selectattr('supported_architectures', 'undefined') | map(attribute='name') | list + dnf_packages | selectattr('supported_architectures', 'defined') | selectattr('supported_architectures', 'contains', rpm_architecture) | map(attribute='name') | list }}" state: present - become: yes + become: true tags: - dnf - packages @@ -131,7 +131,7 @@ ansible.builtin.dnf: name: flatpak state: present - become: yes + become: true when: (flatpak_packages | default([], true)) | length > 0 tags: - flatpak @@ -142,7 +142,7 @@ name: flathub flatpakrepo_url: https://dl.flathub.org/repo/flathub.flatpakrepo state: present - become: yes + become: true when: (flatpak_packages | default([], true)) | length > 0 tags: - flatpak @@ -153,7 +153,7 @@ name: "{{ item.name }}" state: present remote: flathub - become: yes + become: true loop: "{{ flatpak_packages | default([], true) }}" when: item.supported_architectures is not defined or rpm_architecture in item.supported_architectures register: flatpak_install_result @@ -316,7 +316,7 @@ cmd: uv tool install {{ item }} when: uv_check.rc == 0 loop: "{{ uv_tools | default([], true) }}" - ignore_errors: yes + failed_when: false register: uv_tool_install_result changed_when: "'already installed' not in uv_tool_install_result.stderr" loop_control: @@ -437,7 +437,7 @@ cmd: cursor --install-extension {{ item }} environment: PATH: "{{ appimage_install_dir }}:{{ ansible_env.PATH }}" - ignore_errors: yes + failed_when: false loop: "{{ vscode_extensions | default([], true) }}" register: cursor_ext_result changed_when: "'already installed' not in cursor_ext_result.stdout" @@ -495,7 +495,7 @@ # Custom elevated commands - name: Execute custom elevated commands ansible.builtin.shell: "{{ item.command }}" - become: yes + become: true loop: "{{ custom_commands_elevated | default([], true) }}" loop_control: label: "Executing: {{ item.description }}" diff --git a/macOS/setup.yaml b/macOS/setup.yaml index 923d43b..8ef2833 100644 --- a/macOS/setup.yaml +++ b/macOS/setup.yaml @@ -5,7 +5,7 @@ - name: Setup development environment on macOS hosts: localhost connection: local - gather_facts: yes + gather_facts: true # Define the become password at the play level so it's available to all tasks vars: ansible_become_pass: "{{ lookup('env', 'ANSIBLE_SUDO_PASS') }}" @@ -30,7 +30,7 @@ ansible.builtin.command: cmd: pgrep -q oahd register: rosetta_check - ignore_errors: yes + failed_when: false changed_when: false when: - install_rosetta | bool @@ -42,8 +42,8 @@ - name: Install Rosetta 2 (with become_method=sudo) ansible.builtin.command: cmd: softwareupdate --install-rosetta --agree-to-license - become: yes - become_method: sudo + become: true + become_method: ansible.builtin.sudo when: - install_rosetta | bool - arch_check.stdout == "arm64" @@ -59,7 +59,7 @@ community.general.homebrew_tap: name: "{{ item }}" state: present - ignore_errors: yes + failed_when: false loop: "{{ homebrew_taps | default([], true) }}" loop_control: label: "Adding tap: {{ item }}" @@ -70,7 +70,6 @@ - name: Check if Homebrew casks are already installed ansible.builtin.command: cmd: "brew list --cask {{ item }}" - ignore_errors: yes loop: "{{ homebrew_casks | default([], true) }}" register: brew_cask_check changed_when: false @@ -82,7 +81,7 @@ - casks - name: Install missing Homebrew casks - ansible.builtin.shell: + ansible.builtin.command: cmd: "brew install --cask {{ item.0 }}" environment: SUDO_ASKPASS: "{{ lookup('env', 'SUDO_ASKPASS') }}" @@ -102,8 +101,8 @@ community.general.homebrew: name: "{{ item }}" state: present - update_homebrew: yes - ignore_errors: yes + update_homebrew: true + failed_when: false loop: "{{ homebrew_formulae | default([], true) }}" loop_control: label: "Installing formula: {{ item }}" @@ -119,7 +118,7 @@ - name: Ensure PowerShell modules are installed ansible.builtin.command: cmd: pwsh -Command "Install-PSResource -Name {{ item }} -TrustRepository" - ignore_errors: yes + failed_when: false loop: "{{ powershell_modules | default([], true) }}" register: pwsh_install_result changed_when: "'is already installed' not in pwsh_install_result.stdout" @@ -133,7 +132,7 @@ - name: Ensure pipx modules are installed ansible.builtin.command: cmd: pipx install {{ item }} - ignore_errors: yes + failed_when: false loop: "{{ pipx_packages | default([], true) }}" register: pipx_install_result changed_when: "'already installed' not in pipx_install_result.stdout" @@ -159,7 +158,7 @@ cmd: uv tool install {{ item }} when: uv_check.rc == 0 loop: "{{ uv_tools | default([], true) }}" - ignore_errors: yes + failed_when: false register: uv_tool_install_result changed_when: "'already installed' not in uv_tool_install_result.stderr" loop_control: @@ -185,7 +184,7 @@ - name: Ensure npm global packages are installed ansible.builtin.command: cmd: npm install -g {{ item.0 }} - ignore_errors: yes + failed_when: false loop: "{{ npm_global_packages | default([], true) | zip(npm_check_result.results) | list }}" when: "item.1.rc != 0" register: npm_install_result @@ -221,7 +220,6 @@ - name: Ensure .NET global tools are installed ansible.builtin.command: cmd: dotnet tool install -g {{ item }} - ignore_errors: yes loop: "{{ dotnet_tools | default([], true) }}" register: dotnet_tool_install_result changed_when: "'already installed' not in dotnet_tool_install_result.stderr and dotnet_tool_install_result.rc == 0" @@ -239,7 +237,7 @@ - name: Ensure VS Code extensions are installed ansible.builtin.command: cmd: code --install-extension {{ item }} - ignore_errors: yes + failed_when: false loop: "{{ vscode_extensions | default([], true) }}" register: vscode_ext_result changed_when: "'already installed' not in vscode_ext_result.stdout" @@ -263,7 +261,7 @@ - name: Ensure Cursor extensions are installed ansible.builtin.command: cmd: cursor --install-extension {{ item }} - ignore_errors: yes + failed_when: false loop: "{{ vscode_extensions | default([], true) }}" register: cursor_ext_result changed_when: "'already installed' not in cursor_ext_result.stdout" @@ -313,7 +311,7 @@ loop: "{{ custom_commands_user | default([], true) }}" register: custom_command_user_result changed_when: custom_command_user_result.rc == 0 - ignore_errors: yes + failed_when: false loop_control: label: "Executing user command: '{{ item | truncate(40) }}'" tags: @@ -329,9 +327,9 @@ loop: "{{ custom_commands_elevated | default([], true) }}" register: custom_command_elevated_result changed_when: custom_command_elevated_result.rc == 0 - ignore_errors: yes - become: yes - become_method: sudo + failed_when: false + become: true + become_method: ansible.builtin.sudo loop_control: label: "Executing elevated command: '{{ item | truncate(40) }}'" tags: diff --git a/ubuntu/setup.yaml b/ubuntu/setup.yaml index 1e23e72..6b6063a 100644 --- a/ubuntu/setup.yaml +++ b/ubuntu/setup.yaml @@ -5,7 +5,7 @@ - name: Setup development environment on Ubuntu hosts: localhost connection: local - gather_facts: yes + gather_facts: true # Define the become password at the play level so it's available to all tasks vars: ansible_become_pass: "{{ lookup('env', 'ANSIBLE_SUDO_PASS') }}" @@ -32,7 +32,7 @@ exit 0 fi register: wsl_check - ignore_errors: yes + failed_when: false changed_when: false tags: - system @@ -80,9 +80,9 @@ # apt update - name: Update APT cache ansible.builtin.apt: - update_cache: yes + update_cache: true cache_valid_time: 3600 - become: yes + become: true tags: - apt - update @@ -90,8 +90,8 @@ # apt upgrade - name: Upgrade all packages ansible.builtin.apt: - upgrade: yes - become: yes + upgrade: true + become: true tags: - apt - upgrade @@ -101,7 +101,7 @@ ansible.builtin.apt: name: "{{ apt_packages_prereqs | selectattr('supported_architectures', 'undefined') | map(attribute='name') | list + apt_packages_prereqs | selectattr('supported_architectures', 'defined') | selectattr('supported_architectures', 'contains', deb_architecture) | map(attribute='name') | list }}" state: present - become: yes + become: true tags: - apt - prereqs @@ -121,7 +121,7 @@ loop_control: label: "Adding repository: {{ item.name }}" when: item.supported_architectures is not defined or deb_architecture in item.supported_architectures - become: yes + become: true tags: - apt - repositories @@ -131,7 +131,7 @@ ansible.builtin.apt: name: "{{ apt_packages | selectattr('supported_architectures', 'undefined') | map(attribute='name') | list + apt_packages | selectattr('supported_architectures', 'defined') | selectattr('supported_architectures', 'contains', deb_architecture) | map(attribute='name') | list }}" state: present - become: yes + become: true tags: - apt - packages @@ -140,7 +140,7 @@ - name: Install Snap packages (classic) ansible.builtin.command: cmd: snap install {{ item.name }} --classic - become: yes + become: true loop: "{{ (snap_packages | default([], true)) | selectattr('classic', 'defined') | selectattr('classic') | list }}" when: item.supported_architectures is not defined or deb_architecture in item.supported_architectures register: snap_classic_result @@ -156,7 +156,7 @@ - name: Install Snap packages (regular) ansible.builtin.command: cmd: snap install {{ item.name }} - become: yes + become: true loop: "{{ (snap_packages | default([], true)) | rejectattr('classic', 'defined') | list + (snap_packages | default([], true)) | selectattr('classic', 'defined') | rejectattr('classic') | list }}" when: item.supported_architectures is not defined or deb_architecture in item.supported_architectures register: snap_regular_result @@ -320,7 +320,7 @@ cmd: uv tool install {{ item }} when: uv_check.rc == 0 loop: "{{ uv_tools | default([], true) }}" - ignore_errors: yes + failed_when: false register: uv_tool_install_result changed_when: "'already installed' not in uv_tool_install_result.stderr" loop_control: @@ -441,7 +441,7 @@ cmd: cursor --install-extension {{ item }} environment: PATH: "{{ appimage_install_dir }}:{{ ansible_env.PATH }}" - ignore_errors: yes + failed_when: false loop: "{{ vscode_extensions | default([], true) }}" register: cursor_ext_result changed_when: "'already installed' not in cursor_ext_result.stdout" @@ -499,7 +499,7 @@ # Custom elevated commands - name: Execute custom elevated commands ansible.builtin.shell: "{{ item.command }}" - become: yes + become: true loop: "{{ custom_commands_elevated | default([], true) }}" loop_control: label: "Executing: {{ item.description }}" From 0bfaf65be5c66d95bee37361a0337e24cbaf93d9 Mon Sep 17 00:00:00 2001 From: Ryan Spletzer Date: Sun, 1 Mar 2026 18:16:23 -0500 Subject: [PATCH 2/2] fix: Suppress risky-shell-pipe on WSL check tasks The WSL check uses `uname -r | grep` intentionally with non-zero exit codes as data (0=not WSL, 1=WSL1, 2=WSL2). Adding pipefail would break this logic. The previous `ignore_errors: yes` implicitly suppressed this rule; `failed_when: false` does not, so an explicit noqa is needed. Co-Authored-By: Claude Opus 4.6 --- debian/setup.yaml | 2 +- fedora/setup.yaml | 2 +- ubuntu/setup.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/setup.yaml b/debian/setup.yaml index d474228..721f54f 100644 --- a/debian/setup.yaml +++ b/debian/setup.yaml @@ -16,7 +16,7 @@ tasks: # System setup - - name: Check WSL version (0=not WSL, 1=WSL1, 2=WSL2) + - name: Check WSL version (0=not WSL, 1=WSL1, 2=WSL2) # noqa: risky-shell-pipe ansible.builtin.shell: | if ! grep -q -i microsoft /proc/version && ! uname -r | grep -q microsoft; then exit 0 diff --git a/fedora/setup.yaml b/fedora/setup.yaml index 31aa8c4..2ddfa7a 100644 --- a/fedora/setup.yaml +++ b/fedora/setup.yaml @@ -16,7 +16,7 @@ tasks: # System setup - - name: Check WSL version (0=not WSL, 1=WSL1, 2=WSL2) + - name: Check WSL version (0=not WSL, 1=WSL1, 2=WSL2) # noqa: risky-shell-pipe ansible.builtin.shell: | if ! grep -q -i microsoft /proc/version && ! uname -r | grep -q microsoft; then exit 0 diff --git a/ubuntu/setup.yaml b/ubuntu/setup.yaml index 6b6063a..503d325 100644 --- a/ubuntu/setup.yaml +++ b/ubuntu/setup.yaml @@ -16,7 +16,7 @@ tasks: # System setup - - name: Check WSL version (0=not WSL, 1=WSL1, 2=WSL2) + - name: Check WSL version (0=not WSL, 1=WSL1, 2=WSL2) # noqa: risky-shell-pipe ansible.builtin.shell: | if ! grep -q -i microsoft /proc/version && ! uname -r | grep -q microsoft; then exit 0