Merge branch 'master' into os_immutable_fs

Author: millerthegorilla

.aar_doc.yml

@@ -0,0 +1,51 @@
+output_template: |
+  <!-- BEGIN_ANSIBLE_DOCS -->
+
+  ## Supported Operating Systems
+
+  {%- for platform in metadata.galaxy_info.platforms %}
+  - {{ platform.name }}
+    {%- if "versions" in platform %}
+    - {{ platform.versions | default([]) | join(', ') }}
+    {%- endif %}
+  {%- endfor %}
+
+  ## Role Variables
+  {% for entrypoint in argument_specs.keys() %}
+  {%- set path, options=entrypoint_options[entrypoint][0] -%}
+  {%- for name, details in options.items() |sort() %}
+  - `{{ name }}`
+    - Default: `{{ details.display_default }}`
+    - Description: {{ details.display_description }}
+    - Type: {{ details.display_type }}
+    - Required: {{ details.display_required }}
+    {%- if details.choices %}
+    - Choices:
+      {%- for choice in details.choices %}
+      - {{ choice }}
+      {%- endfor %}
+    {%- endif %}
+  {%- endfor %}
+  {%- endfor %}
+
+  ## Dependencies
+
+  {%- if ("dependencies" in metadata) and (metadata.dependencies | length > 0) %}
+  {%- for dependency in metadata.dependencies %}
+  - {{ dependency }}
+  {%- endfor %}
+  {%- else %}
+
+  None.
+  {%- endif %}
+
+  ## Example Playbook
+
+  ```
+  - hosts: all
+    become: true
+    roles:
+      - name: {{ role }}
+  ```
+
+  <!-- END_ANSIBLE_DOCS -->

.config/ansible-lint.yml

@@ -5,10 +5,17 @@
 # option will be parsed relative to the CWD of execution.
 exclude_paths:
   - .cache/ # implicit unless exclude_paths is defined in config
-  - .yamllint
-  - ../molecule/
-  - ../.github/
+  - .ansible/ # somehow someone decided that the cache directory should be renamed
+  # add all waivers individually, since exclude_files does not support globs
+  - molecule/os_hardening/waivers.yaml
+  - molecule/ssh_hardening_bsd/waivers_freebsd13.yaml
+  - molecule/ssh_hardening_bsd/waivers_freebsd14.yaml
+  - molecule/ssh_hardening_bsd/waivers_openbsd7.yaml
 
 mock_roles:
   - geerlingguy.git
   - nginxinc.nginx
+
+skip_list:
+  - var-naming[no-role-prefix]
+  - meta-runtime[unsupported-version]

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -31,7 +31,7 @@ body:
     attributes:
       label: "Reproduction steps"
       render: Shell
-      description: Paste an example playbook that can be used to reproduce the problem. This will be automatically formatted into code, so no need for backticks.
+      description: Paste an example playbook that can be used to reproduce the problem. This will be automatically formatted into code, no need for backticks.
       value: |
         ...
     validations:

.github/labeler.yml

@@ -1,22 +1,30 @@
 ---
 mysql_hardening:
-  - 'roles/mysql_hardening/**'
-  - 'molecule/mysql_hardening/**'
-  - '.github/workflows/mysql_hardening.yml'
+  - changed-files:
+      - any-glob-to-any-file:
+          - roles/mysql_hardening/**
+          - molecule/mysql_hardening/**
+          - .github/workflows/mysql_hardening.yml
 
 os_hardening:
-  - 'roles/os_hardening/**'
-  - 'molecule/os_hardening/**'
-  - '.github/workflows/os_hardening.yml'
+  - changed-files:
+      - any-glob-to-any-file:
+          - roles/os_hardening/**
+          - molecule/os_hardening/**
+          - .github/workflows/os_hardening.yml
 
 ssh_hardening:
-  - 'roles/ssh_hardening/**'
-  - 'molecule/ssh_hardening/**'
-  - 'molecule/ssh_hardening_custom_tests/**'
-  - '.github/workflows/ssh_hardening.yml'
-  - '.github/workflows/ssh_hardening_custom_tests.yml'
+  - changed-files:
+      - any-glob-to-any-file:
+          - roles/ssh_hardening/**
+          - molecule/ssh_hardening/**
+          - molecule/ssh_hardening_custom_tests/**
+          - .github/workflows/ssh_hardening.yml
+          - .github/workflows/ssh_hardening_custom_tests.yml
 
 nginx_hardening:
-  - 'roles/nginx_hardening/**'
-  - 'molecule/nginx_hardening/**'
-  - '.github/workflows/nginx_hardening.yml'
+  - changed-files:
+      - any-glob-to-any-file:
+          - roles/nginx_hardening/**
+          - molecule/nginx_hardening/**
+          - .github/workflows/nginx_hardening.yml

.github/version-drafter.yml

@@ -0,0 +1,3 @@
+major-labels: ['major']
+minor-labels: ['minor', 'enhancement']
+patch-labels: ['patch', 'bug']

.github/workflows/ansible-lint.yml

@@ -7,22 +7,26 @@ on:  # yamllint disable-line rule:truthy
     branches: [master]
     paths:
       - 'roles/**'
+      - 'molecule/**'
+      - 'requirements.txt'
+      - '.github/workflows/ansible-lint.yml'
+      - '.config/ansible-lint.yml'
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [master]
     paths:
       - 'roles/**'
+      - 'molecule/**'
+      - 'requirements.txt'
+      - '.github/workflows/ansible-lint.yml'
+      - '.config/ansible-lint.yml'
 
 jobs:
   ansible-lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
-      # Important: This sets up your GITHUB_WORKSPACE environment variable
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Lint Ansible Playbook
-        # replace "master" with any valid ref
-        uses: ansible/ansible-lint-action@main
-        with:
-          path: "roles/"
+        uses: ansible/ansible-lint@49ded6a7e4f3acf6b1eb4b3aa2796d84b5faa63a # v25

.github/workflows/codespell.yml

@@ -11,4 +11,4 @@ jobs:
   codespell:
     uses: "dev-sec/.github/.github/workflows/codespell.yml@main"
     with:
-      ignore_words_list: "chage"
+      ignore_words_list: "chage,BOOTUP"

.github/workflows/enforce-labels.yml

@@ -4,11 +4,16 @@ name: "Enforce PR labels"
 on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [labeled, unlabeled, opened, edited, synchronize]
+
+permissions:
+  contents: read # to read configuration file
+  pull-requests: write # to label PRs
+
 jobs:
   enforce-label:
     if: github.repository == 'dev-sec/ansible-collection-hardening'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/labeler@main
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/galaxy.yml .github/workflows/galaxy-publish.yml.github/workflows/galaxy.yml renamed to .github/workflows/galaxy-publish.yml

@@ -4,37 +4,37 @@ name: Publish collection to Ansible Galaxy
 on:  # yamllint disable-line rule:truthy
   release:
     types:
-      - published
+      - released
 
 jobs:
   deploy:
     if: github.repository == 'dev-sec/ansible-collection-hardening'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       # deploy the collection first, because if it fails, we don't want
       # to update the galaxy.yml
       - name: Deploy the collection
-        uses: artis3n/ansible_galaxy_collection@v2
+        uses: artis3n/ansible_galaxy_collection@f6110aef877db4caaa7e9a192975fb006dea61fe # v2
         with:
           api_key: ${{ secrets.GALAXY_API_KEY }}
           galaxy_version: ${{ github.event.release.tag_name }}
 
       # checkout master instead of the release-tag so we can push the galaxy.yml
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           ref: master
 
       - name: update galaxy.yml with new version
-        uses: microsoft/variable-substitution@v1
+        uses: microsoft/variable-substitution@6287962da9e5b6e68778dc51e840caa03ca84495 # v1
         with:
           files: 'galaxy.yml'
         env:
           version: "${{ github.event.release.tag_name }}"
 
       - name: push galaxy.yml
-        uses: github-actions-x/[email protected]
+        uses: github-actions-x/commit@722d56b8968bf00ced78407bbe2ead81062d8baa # v2.9
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           push-branch: 'master'

.github/workflows/mysql_hardening.yml

@@ -9,12 +9,14 @@ on:  # yamllint disable-line rule:truthy
       - 'roles/mysql_hardening/**'
       - 'molecule/mysql_hardening/**'
       - '.github/workflows/mysql_hardening.yml'
+      - 'requirements.txt'
   pull_request:
     branches: [master]
     paths:
       - 'roles/mysql_hardening/**'
       - 'molecule/mysql_hardening/**'
       - '.github/workflows/mysql_hardening.yml'
+      - 'requirements.txt'
   schedule:
     - cron: '0 6 * * 0'
 
@@ -27,46 +29,47 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     env:
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
     strategy:
       fail-fast: false
       matrix:
         molecule_distro:
-          - centos7
-          - centosstream8
           - centosstream9
           - rocky8
           - rocky9
-          - ubuntu1804
           - ubuntu2004
           - ubuntu2204
-          - debian10
+          - ubuntu2404
           - debian11
+          - debian12
           # - amazon  # geerlingguy.mysql does not support fedora
           # - arch  # geerlingguy.mysql does not support arch
           - opensuse_tumbleweed
           # - fedora  # geerlingguy.mysql does not support fedora
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           path: ansible_collections/devsec/hardening
           submodules: true
 
-      - name: Set up Python 3.11
-        uses: actions/setup-python@v4
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
-          python-version: 3.11
+          python-version: 3.12
+          cache: 'pip'
 
       - name: Install dependencies
-        run: |
-          sudo apt install git
-          python -m pip install --no-cache-dir --upgrade pip
-          pip install -r requirements.txt
+        run: pip install -r requirements.txt
+        working-directory: ansible_collections/devsec/hardening
+
+      - name: Downgrade Ansible for Rocky 8 tests
+        run: pip install "ansible-core<2.17"
         working-directory: ansible_collections/devsec/hardening
+        if: matrix.molecule_distro == 'rocky8'
 
       # that was a hard one to fix. robert did it thankfully
       # https://github.com/robertdebock/ansible-role-mysql/commit/7562e99099b06282391ab7ed102b393a0406d212
@@ -78,10 +81,19 @@ jobs:
             sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
         if: ${{ startsWith(matrix.molecule_distro, 'Debian') }}
 
-      - name: Test with molecule
+      # Molecule has problems detecting the proper location for installing roles
+      # https://github.com/ansible/molecule/issues/3806
+      # we do not set a custom role path, but the automatically determined install path used is not compatible with the location molecule expects the role
+      # see CI logs of this action "INFO     Set ANSIBLE_ROLES_PATH" should not be present, since we do not set a custom path
+      # we have to find a proper way to configure this
+      - name: Temporary fix for roles
         run: |
-          molecule --version
-          molecule test -s mysql_hardening
+          mkdir -p /home/runner/.ansible
+          ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles \
+            /home/runner/.ansible/roles
+
+      - name: Test with molecule
+        run: molecule test -s mysql_hardening
         env:
           MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
         working-directory: ansible_collections/devsec/hardening