diff --git a/.gitea/workflows/pr-check-yaml b/.gitea/workflows/pr-check-yaml deleted file mode 100644 index 2d89269..0000000 --- a/.gitea/workflows/pr-check-yaml +++ /dev/null @@ -1,164 +0,0 @@ ---- -# https://github.com/kekxv/pr-check -name: PR check - -on: - pull_request: - types: [opened, synchronize] - -jobs: - leak_test: - name: Gitleaks - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v6 - with: - github-server-url: ${{ vars.GIT_SERVER_URL }} - - - name: Install Gitleaks - run: | - curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz \ - | tar -xz - sudo mv gitleaks /usr/local/bin/ - - - name: Run Gitleaks - run: | - gitleaks dir . \ - --redact=10 \ - --verbose \ - --exit-code 1 - - lint_test: - name: lint tests - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v6 - with: - github-server-url: ${{ vars.GIT_SERVER_URL }} - - - name: Install Node.js - uses: actions/setup-node@v4 - with: - node-version: 20 - - - name: Run markdownlint - run: npx markdownlint-cli2 "**/*.md" "#node_modules" - - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: "3.14" - - - name: Install ansible-lint and yamllint - run: | - python -m pip install --upgrade pip - pip install ansible ansible-lint yamllint - - - name: Run yamllint - run: | - yamllint . - - - name: Run ansible-lint - run: | - ansible-lint - -handle_failures: - runs-on: ubuntu-latest - needs: [leak_test, lint_test] - if: needs.leak_test.result != 'success' || needs.lint_test.result != 'success' - - steps: - - name: Comment, label, and close PR - run: | - API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}" - PR="${{ github.event.pull_request.number }}" - TOKEN="${{ secrets.GITEA_TOKEN }}" - - COMMENT_BODY="❌ CI checks failed.\n\nLeak test: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}" - - # Find existing comment - EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \ - "$API/issues/$PR/comments" \ - | jq -r '.[] | select(.body | test("")) | .id') - - # Update or create comment - if [ -n "$EXISTING_COMMENT_ID" ]; then - curl -s -X PATCH \ - -H "Authorization: token $TOKEN" \ - -H "Content-Type: application/json" \ - -d "{\"body\":\"\n$COMMENT_BODY\"}" \ - "$API/issues/$PR/comments/$EXISTING_COMMENT_ID" - else - curl -s -X POST \ - -H "Authorization: token $TOKEN" \ - -H "Content-Type: application/json" \ - -d "{\"body\":\"\n$COMMENT_BODY\"}" \ - "$API/issues/$PR/comments" - fi - - # Add label if missing - LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name') - if ! echo "$LABELS" | grep -q "^ci-failed$"; then - curl -s -X POST \ - -H "Authorization: token $TOKEN" \ - -H "Content-Type: application/json" \ - -d '["ci-failed"]' \ - "$API/issues/$PR/labels" - fi - - # Close PR - curl -s -X PATCH \ - -H "Authorization: token $TOKEN" \ - -H "Content-Type: application/json" \ - -d '{"state":"closed"}' \ - "$API/pulls/$PR" - -handle_success: - runs-on: ubuntu-latest - needs: [leak_test, lint_test] - if: needs.leak_test.result == 'success' && needs.lint_test.result == 'success' - - steps: - - name: Update comment, remove label, reopen PR - run: | - API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}" - PR="${{ github.event.pull_request.number }}" - TOKEN="${{ secrets.GITEA_TOKEN }}" - - COMMENT_BODY="✅ All CI checks passed.\n\nLeak test: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}" - - # Find existing comment - EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \ - "$API/issues/$PR/comments" \ - | jq -r '.[] | select(.body | test("")) | .id') - - # Update comment if exists - if [ -n "$EXISTING_COMMENT_ID" ]; then - curl -s -X PATCH \ - -H "Authorization: token $TOKEN" \ - -H "Content-Type: application/json" \ - -d "{\"body\":\"\n$COMMENT_BODY\"}" \ - "$API/issues/$PR/comments/$EXISTING_COMMENT_ID" - fi - - # Remove label if exists - LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name') - if echo "$LABELS" | grep -q "^ci-failed$"; then - curl -s -X DELETE \ - -H "Authorization: token $TOKEN" \ - "$API/issues/$PR/labels/ci-failed" - fi - - # Reopen PR if closed - PR_STATE=$(curl -s -H "Authorization: token $TOKEN" "$API/pulls/$PR" | jq -r '.state') - if [ "$PR_STATE" = "closed" ]; then - curl -s -X PATCH \ - -H "Authorization: token $TOKEN" \ - -H "Content-Type: application/json" \ - -d '{"state":"open"}' \ - "$API/pulls/$PR" - fi diff --git a/.gitea/workflows/pr-check.yaml b/.gitea/workflows/pr-check.yaml new file mode 100644 index 0000000..3e2e308 --- /dev/null +++ b/.gitea/workflows/pr-check.yaml @@ -0,0 +1,168 @@ +--- +# https://github.com/kekxv/pr-check +name: PR check + +on: + pull_request: + types: [opened, synchronize] + +jobs: + leak_test: + name: Gitleaks + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + github-server-url: ${{ vars.GIT_SERVER_URL }} + + - name: Install Gitleaks + run: | + curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz \ + | tar -xz + sudo mv gitleaks /usr/local/bin/ + + - name: Run Gitleaks + run: | + gitleaks dir . \ + --config .gitleaks.toml \ + --redact=50 \ + --verbose \ + --exit-code 1 + # --exclude-files "README.md" + + lint_test: + name: lint tests + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + github-server-url: ${{ vars.GIT_SERVER_URL }} + + - name: Install Node.js + uses: actions/setup-node@v4 + with: + node-version: 20 + + - name: Run markdownlint + run: npx markdownlint-cli2 "**/*.md" "#node_modules" + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.14" + + - name: Install ansible-lint and yamllint + run: | + python -m pip install --upgrade pip + pip install ansible ansible-lint yamllint + + - name: Run yamllint + run: | + yamllint . + + - name: Run ansible-lint + run: | + ansible-lint + + handle_failures: + runs-on: ubuntu-latest + needs: [leak_test, lint_test] + if: "${{ always() && ( + needs.leak_test.result != 'success' || + needs.lint_test.result != 'success' ) }}" + + steps: + - name: Comment, label, and close PR + run: | + API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}" + PR="${{ github.event.pull_request.number }}" + TOKEN="${{ secrets.GITEA_TOKEN }}" + + COMMENT_BODY="❌ CI checks failed.\n\nLeak: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}" + + # Find existing comment + EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \ + "$API/issues/$PR/comments" \ + | jq -r '.[] | select(.body | test("")) | .id') + + # Update or create comment + if [ -n "$EXISTING_COMMENT_ID" ]; then + curl -s -X PATCH \ + -H "Authorization: token $TOKEN" \ + -H "Content-Type: application/json" \ + -d "{\"body\":\"\n$COMMENT_BODY\"}" \ + "$API/issues/$PR/comments/$EXISTING_COMMENT_ID" + else + curl -s -X POST \ + -H "Authorization: token $TOKEN" \ + -H "Content-Type: application/json" \ + -d "{\"body\":\"\n$COMMENT_BODY\"}" \ + "$API/issues/$PR/comments" + fi + + # Add label if missing + LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name') + if ! echo "$LABELS" | grep -q "^ci-failed$"; then + curl -s -X POST \ + -H "Authorization: token $TOKEN" \ + -H "Content-Type: application/json" \ + -d '["ci-failed"]' \ + "$API/issues/$PR/labels" + fi + + # Close PR + curl -s -X PATCH \ + -H "Authorization: token $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"state":"closed"}' \ + "$API/pulls/$PR" + + handle_success: + runs-on: ubuntu-latest + needs: [leak_test, lint_test] + if: needs.leak_test.result == 'success' && needs.lint_test.result == 'success' + + steps: + - name: Update comment, remove label, reopen PR + run: | + API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}" + PR="${{ github.event.pull_request.number }}" + TOKEN="${{ secrets.GITEA_TOKEN }}" + + COMMENT_BODY="✅ CI checks pass.\n\nLeaks: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}" + + # Find existing comment + EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \ + "$API/issues/$PR/comments" \ + | jq -r '.[] | select(.body | test("")) | .id') + + # Update comment if exists + if [ -n "$EXISTING_COMMENT_ID" ]; then + curl -s -X PATCH \ + -H "Authorization: token $TOKEN" \ + -H "Content-Type: application/json" \ + -d "{\"body\":\"\n$COMMENT_BODY\"}" \ + "$API/issues/$PR/comments/$EXISTING_COMMENT_ID" + fi + + # Remove label if exists + LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name') + if echo "$LABELS" | grep -q "^ci-failed$"; then + curl -s -X DELETE \ + -H "Authorization: token $TOKEN" \ + "$API/issues/$PR/labels/ci-failed" + fi + + # Reopen PR if closed + PR_STATE=$(curl -s -H "Authorization: token $TOKEN" "$API/pulls/$PR" | jq -r '.state') + if [ "$PR_STATE" = "closed" ]; then + curl -s -X PATCH \ + -H "Authorization: token $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"state":"open"}' \ + "$API/pulls/$PR" + fi diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..e9506ee --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,47 @@ +title = "Gitleaks Config" + +# ========================== +# Allowlist / False Positive Rules +# ========================== +# [[allowlist]] +# description = "Ignore placeholder secrets in README.md" +# filepath = "README.md" +# # Add all placeholder-like patterns that trigger false positives +# regex = "cafebabe|deadbeef|DB_PASSWORD" + +# [[allowlist]] +# description = "Ignore badge URLs in README" +# filepath = "README.md" +# regex = "https://img.shields.io" + +# ========================== +# Rules +# ========================== +# [[rules]] +# id = "generic-api-key" +# description = "Generic API Key" +# regex = "(?i)(api[_-]?key|secret|token)=\\S+" +# entropy = 3.5 + +# [[rules]] +# id = "sidekiq-secret" +# description = "Sidekiq Secret" +# regex = "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=\\S+" +# entropy = 2.5 + +# ========================== +# File-specific entropy overrides +# ========================== +[[rules]] +id = "generic-api-key-docs" +description = "Ignore placeholder secrets in README.md" +regex = "(?i)(api[_-]?key|secret|token)=\\S+" +filepath = "README.md" +entropy = 5.0 # high threshold, placeholders won't trigger + +[[rules]] +id = "sidekiq-secret" +description = "Sidekiq Secret in README.md" +regex = "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=\\S+" +filepath = "README.md" +entropy = 5.0 diff --git a/README.md b/README.md index 2bfd15b..0e32586 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# ansible_role_proxmox_provision +# README ansible_role_proxmox_provision > A reusable Ansible role template for for Proxmox VE > with a focus on provisioning and managing. @@ -7,7 +7,7 @@ [![Ansible Version](https://img.shields.io/badge/Ansible-2.12+-blue)](https://www.ansible.com/) [![Proxmox](https://img.shields.io/badge/Proxmox-9-orange?logo=proxmox&logoColor=white)](https://www.proxmox.com/) -## 📌 Key Features +## 📌 Features ✅ **Proxmox VE Optimized** - Specifically designed for Proxmox Virtual Environment ⬜ **Idempotent** - Safe to run multiple times @@ -18,7 +18,7 @@ ## 📊 Compatibility Matrix -| Feature | VE 7 | VE 8 | VE 9 | +| Feature \ Proxmox Version| 7 | 8 | 9 | | ------------------------ | ---- | ---- | ---- | | No-subscription repo | ✅ | ✅ | ✅ | | Enterprise repo disabled | ✅ | ✅ | ✅ | @@ -26,7 +26,7 @@ | Swap handling | ✅ | ✅ | ✅ | | Logrotate protection | ✅ | ✅ | ✅ | | Powertop auto-tune | ✅ | ✅ | ✅ | -| API utilities | ✅ | ✅ | ✅ | +| Utilities | ✅ | ✅ | ✅ | ## 📂 Directory Structure @@ -46,7 +46,7 @@ ansible_role_proxmox_provision/ │ ├── repos.yml # Repository setup │ ├── subscription.yml # Subscription nag removal │ ├── swap.yml # Swap setup -│ └── utilities.yml # API utilities installation +│ └── utilities.yml # Utilities installation ├── templates/ # Jinja2 templates └── vars/ # Non-overridable variables └── main.yml