Skip to content

ci: Use generalized action to test against different distributions #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
richm merged 5 commits into from
May 29, 2026
Merged

ci: Use generalized action to test against different distributions #239

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5188e52
tests: Filter out backspace characters from manual pages in alpine
Jakuje May 15, 2026
425f312
ci: Use generalized action to test against different distributions
Jakuje May 15, 2026
f045592
Add new configuration options from Fedora
Jakuje May 15, 2026
41b1626
Add support for alpine
Jakuje May 15, 2026
b6e1feb
Update Ubuntu 26.04 defaults
Jakuje May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .dev-tools/options_body
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ ProxyUseFdpass
PubkeyAcceptedKeyTypes
PubkeyAcceptedAlgorithms
PubkeyAuthentication
RefuseConnection
Comment thread
richm marked this conversation as resolved.
RekeyLimit
RemoteCommand
RemoteForward
Expand Down Expand Up @@ -113,4 +114,5 @@ UserKnownHostsFile
VerifyHostKeyDNS
VersionAddendum
VisualHostKey
WarnWeakCrypto
XAuthLocation
71 changes: 0 additions & 71 deletions .github/workflows/ansible-centos.yml
View file
Open in desktop

This file was deleted.

39 changes: 39 additions & 0 deletions .github/workflows/ansible-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: Ansible CI
on: [push, pull_request]

env:
ANSIBLE_INJECT_FACT_VARS: "false"

jobs:
test:
if: |
!((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) ||
(github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]')))
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os_image:
- alpine:latest
- quay.io/centos/centos:stream8
- quay.io/centos/centos:stream9
- quay.io/centos/centos:stream10
- debian:bullseye
- debian:bookworm
- debian:latest
- fedora:latest
- ubuntu:22.04
- ubuntu:24.04
- ubuntu:latest

steps:
- name: Checkout code
uses: actions/checkout@v6
Comment on lines +30 to +31

@coderabbitai coderabbitai Bot May 28, 2026
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify checkout steps explicitly disable credential persistence
rg -nP --type=yaml 'uses:\s*actions/checkout@' .github/workflows -C2
rg -nP --type=yaml 'persist-credentials:\s*false' .github/workflows

Repository: linux-system-roles/ssh

Length of output: 5617

Add with: persist-credentials: false to the actions/checkout@v6 step in ansible-check.yml.
.github/workflows/ansible-check.yml’s checkout step only has uses: actions/checkout@v6 (no with:), and there are no persist-credentials: false occurrences in .github/workflows, so credentials can persist into later steps/actions.

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 30-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 31-31: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ansible-check.yml around lines 30 - 31, The checkout step
using actions/checkout@v6 currently lacks the persist-credentials setting;
update the GitHub Actions step that references actions/checkout@v6 to include a
with block setting persist-credentials: false (i.e., add "with:
persist-credentials: false" under the uses: actions/checkout@v6 step) so
credentials are not persisted to subsequent steps.

@richm richm May 28, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The .github/workflow/*.yml files are generated from the common source in https://github.com/linux-system-roles/.github/tree/main/playbooks/templates/.github/workflows
If there are changes to be made, please create a github issue in that repo with the suggested issues and fixes.

@coderabbitai coderabbitai Bot May 28, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh issue create \
  --repo linux-system-roles/.github \
  --title "ci: Add persist-credentials: false and pin actions/checkout to a hash in workflow templates" \
  --body "## Summary

The \`.github/workflows/\` YAML files generated from the templates in this repository have two security-related findings flagged by [zizmor](https://github.com/woodruffw/zizmor) in [linux-system-roles/ssh#239](https://github.com/linux-system-roles/ssh/pull/239).

These findings apply to the template source used to generate the workflow files, so fixes should be made here.

---

## Finding 1 — Credential persistence (artipacked)

**Severity:** Warning  
**Rule:** \`artipacked\`

The \`actions/checkout\` step does not set \`persist-credentials: false\`. This means GitHub credentials (the \`GITHUB_TOKEN\`) are written to the local git config and remain available to all subsequent steps and any action invoked after checkout, which is a wider-than-necessary credential scope.

**Suggested fix:**

\`\`\`yaml
- name: Checkout code
  uses: actions/checkout@<hash>
  with:
    persist-credentials: false
\`\`\`

---

## Finding 2 — Unpinned action reference (unpinned-uses)

**Severity:** Error  
**Rule:** \`unpinned-uses\`

\`actions/checkout@v6\` is referenced by a mutable tag rather than an immutable commit hash. A compromised or altered tag could introduce unexpected code into CI.

**Suggested fix:** Pin to the full commit SHA of the desired release, e.g.:

\`\`\`yaml
uses: actions/checkout@<full-sha>  # v6
\`\`\`

---

## References

- PR where this was flagged: https://github.com/linux-system-roles/ssh/pull/239#discussion_r3320114000
- Raised by: `@richm`
"

Length of output: 1770

@richm, I've created an issue in the upstream template repository with both findings (credential persistence and unpinned action reference):

linux-system-roles/.github#170

✏️ Learnings added 
Learnt from: richm
Repo: linux-system-roles/ssh PR: 239
File: .github/workflows/ansible-check.yml:30-31
Timestamp: 2026-05-28T19:23:44.331Z
Learning: In the linux-system-roles/ssh repository, the `.github/workflows/*.yml` files are generated from common template sources located at https://github.com/linux-system-roles/.github/tree/main/playbooks/templates/.github/workflows. Any suggested changes to these workflow files should be filed as issues in the `linux-system-roles/.github` repository rather than directly editing the generated files.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.


- name: Test Ansible SSH Role
uses: Jakuje/check-ansible-action@main
Comment on lines +31 to +34

@coderabbitai coderabbitai Bot May 28, 2026
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all workflow `uses:` refs are SHA-pinned
rg -nP --type=yaml '^\s*uses:\s*[^@]+@(?!(?:[0-9a-fA-F]{40})\b).+$' .github/workflows

Repository: linux-system-roles/ssh

Length of output: 2927

Pin third-party GitHub Actions to immutable commit SHAs in ansible-check.yml

In .github/workflows/ansible-check.yml, uses: actions/checkout@v6 (line 31) and uses: Jakuje/check-ansible-action@main (line 34) are not SHA-pinned, so upstream updates can change CI behavior without notice.

  • Pin both uses: entries to full commit SHAs.
Suggested hardening diff 
-      - name: Checkout code
-        uses: actions/checkout@v6
+      - name: Checkout code
+        uses: actions/checkout@<full-commit-sha-for-v6>

-      - name: Test Ansible SSH Role
-        uses: Jakuje/check-ansible-action@main
+      - name: Test Ansible SSH Role
+        uses: Jakuje/check-ansible-action@<full-commit-sha>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 31-31: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[error] 34-34: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ansible-check.yml around lines 31 - 34, Update the
workflow to pin third-party actions to immutable commit SHAs: replace the
floating tags "actions/checkout@v6" and "Jakuje/check-ansible-action@main" with
their respective full commit SHAs (e.g., actions/checkout@<sha> and
Jakuje/check-ansible-action@<sha>) so the runner uses exact commits; locate the
two `uses:` lines in the ansible-check.yml file (the entries referencing
actions/checkout and Jakuje/check-ansible-action) and swap the tags for the
corresponding verified commit SHAs from each repository.

@richm richm May 28, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The .github/workflow/*.yml files are generated from the common source in https://github.com/linux-system-roles/.github/tree/main/playbooks/templates/.github/workflows
If there are changes to be made, please create a github issue in that repo with the suggested issues and fixes.

@coderabbitai coderabbitai Bot May 28, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh issue create \
  --repo linux-system-roles/.github \
  --title "Pin GitHub Actions to immutable commit SHAs in workflow templates" \
  --body "## Summary

The workflow templates under \`playbooks/templates/.github/workflows/\` (which generate \`.github/workflows/ansible-check.yml\` and related files in downstream roles such as [linux-system-roles/ssh#239](https://github.com/linux-system-roles/ssh/pull/239)) currently reference GitHub Actions using floating tags rather than immutable commit SHAs.

## Examples flagged

\`\`\`yaml
uses: actions/checkout@v6
uses: Jakuje/check-ansible-action@main
\`\`\`

## Risk

Floating tags (e.g., \`@v6\`, \`@main\`) can be moved upstream at any time, meaning CI behavior can change — or be hijacked — without any change to this repository. Pinning to full commit SHAs provides a stable, auditable reference.

## Suggested fix

Replace floating tag references with the corresponding full 40-character commit SHAs, for example:

\`\`\`yaml
uses: actions/checkout@<full-sha-for-v6>
uses: Jakuje/check-ansible-action@<full-sha-for-current-main>
\`\`\`

Tools such as [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot) or [zizmor](https://github.com/woodruffw/zizmor) can help automate this.

## References

- Flagged by CodeRabbit static analysis (zizmor rule \`unpinned-uses\`) in [linux-system-roles/ssh#239 (comment)](https://github.com/linux-system-roles/ssh/pull/239#discussion_r3320114005)
- Requested by `@richm`
"

Length of output: 1660

@richm, the issue has been filed at https://github.com/linux-system-repos/.github/issues/171 — it covers pinning both actions/checkout@v6 and Jakuje/check-ansible-action@main to full commit SHAs in the upstream workflow templates.

✏️ Learnings added 
Learnt from: richm
Repo: linux-system-roles/ssh PR: 239
File: .github/workflows/ansible-check.yml:31-34
Timestamp: 2026-05-28T19:25:11.306Z
Learning: In the linux-system-roles/ssh repository, the `.github/workflows/*.yml` files are generated from upstream templates located at https://github.com/linux-system-roles/.github/tree/main/playbooks/templates/.github/workflows. Any suggested changes to these workflow files should be filed as issues in the `linux-system-roles/.github` repository rather than made directly in the ssh repository.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

with:
image: ${{ matrix.os_image }}
group: local
hosts: localhost
targets: "tests/tests_*.yml"
38 changes: 0 additions & 38 deletions .github/workflows/ansible-debian.yml
View file
Open in desktop

This file was deleted.

22 changes: 0 additions & 22 deletions .github/workflows/ansible-fedora.yml
View file
Open in desktop

This file was deleted.

38 changes: 0 additions & 38 deletions .github/workflows/ansible-ubuntu.yml
View file
Open in desktop

This file was deleted.

6 changes: 6 additions & 0 deletions templates/ssh_config.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ Match {{ match["Condition"] }}
{{ render_option("PubkeyAcceptedKeyTypes", match["PubkeyAcceptedKeyTypes"], true) -}}
{{ render_option("PubkeyAcceptedAlgorithms", match["PubkeyAcceptedAlgorithms"], true) -}}
{{ render_option("PubkeyAuthentication", match["PubkeyAuthentication"], true) -}}
{{ render_option("RefuseConnection", match["RefuseConnection"], true) -}}
{{ render_option("RekeyLimit", match["RekeyLimit"], true) -}}
{{ render_option("RemoteCommand", match["RemoteCommand"], true) -}}
{{ render_option("RemoteForward", match["RemoteForward"], true) -}}
Expand Down Expand Up @@ -158,6 +159,7 @@ Match {{ match["Condition"] }}
{{ render_option("VerifyHostKeyDNS", match["VerifyHostKeyDNS"], true) -}}
{{ render_option("VersionAddendum", match["VersionAddendum"], true) -}}
{{ render_option("VisualHostKey", match["VisualHostKey"], true) -}}
{{ render_option("WarnWeakCrypto", match["WarnWeakCrypto"], true) -}}
{{ render_option("XAuthLocation", match["XAuthLocation"], true) -}}
{% endfor %}
{% endif %}
Expand Down Expand Up @@ -254,6 +256,7 @@ Host {{ host["Condition"] }}
{{ render_option("PubkeyAcceptedKeyTypes", host["PubkeyAcceptedKeyTypes"], true) -}}
{{ render_option("PubkeyAcceptedAlgorithms", host["PubkeyAcceptedAlgorithms"], true) -}}
{{ render_option("PubkeyAuthentication", host["PubkeyAuthentication"], true) -}}
{{ render_option("RefuseConnection", host["RefuseConnection"], true) -}}
{{ render_option("RekeyLimit", host["RekeyLimit"], true) -}}
{{ render_option("RemoteCommand", host["RemoteCommand"], true) -}}
{{ render_option("RemoteForward", host["RemoteForward"], true) -}}
Expand Down Expand Up @@ -284,6 +287,7 @@ Host {{ host["Condition"] }}
{{ render_option("VerifyHostKeyDNS", host["VerifyHostKeyDNS"], true) -}}
{{ render_option("VersionAddendum", host["VersionAddendum"], true) -}}
{{ render_option("VisualHostKey", host["VisualHostKey"], true) -}}
{{ render_option("WarnWeakCrypto", host["WarnWeakCrypto"], true) -}}
{{ render_option("XAuthLocation", host["XAuthLocation"], true) -}}
{% endfor %}
{% endif %}
Expand Down Expand Up @@ -373,6 +377,7 @@ Host {{ host["Condition"] }}
{{ body_option("PubkeyAcceptedKeyTypes", ssh_PubkeyAcceptedKeyTypes) -}}
{{ body_option("PubkeyAcceptedAlgorithms", ssh_PubkeyAcceptedAlgorithms) -}}
{{ body_option("PubkeyAuthentication", ssh_PubkeyAuthentication) -}}
{{ body_option("RefuseConnection", ssh_RefuseConnection) -}}
{{ body_option("RekeyLimit", ssh_RekeyLimit) -}}
{{ body_option("RemoteCommand", ssh_RemoteCommand) -}}
{{ body_option("RemoteForward", ssh_RemoteForward) -}}
Expand Down Expand Up @@ -403,6 +408,7 @@ Host {{ host["Condition"] }}
{{ body_option("VerifyHostKeyDNS", ssh_VerifyHostKeyDNS) -}}
{{ body_option("VersionAddendum", ssh_VersionAddendum) -}}
{{ body_option("VisualHostKey", ssh_VisualHostKey) -}}
{{ body_option("WarnWeakCrypto", ssh_WarnWeakCrypto) -}}
{{ body_option("XAuthLocation", ssh_XAuthLocation) -}}
{% if ssh['Match'] is defined %}
{{ match_block(ssh['Match']) -}}
Expand Down
3 changes: 2 additions & 1 deletion tests/tasks/setup.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,4 +44,5 @@
- (ansible_facts['os_family'] in ['RedHat', 'Suse']
and ansible_facts['distribution_major_version'] | int >= 8) or
(ansible_facts['distribution'] == 'Ubuntu'
and ansible_facts['distribution_major_version'] | int >= 20)
and ansible_facts['distribution_major_version'] | int >= 20) or
ansible_facts['distribution'] == 'Alpine'
2 changes: 2 additions & 0 deletions tests/tests_additional_packages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
openssh-keycat
{% elif ansible_facts['os_family'] == 'Suse' %}
openssh-helpers
{% elif ansible_facts['os_family'] == 'Alpine' %}
openssh-sk-helper
{% else %}
openssh-tests
{% endif %}
Expand Down
14 changes: 14 additions & 0 deletions tests/tests_all_options.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,17 @@
- not __ssh_is_ostree | bool
changed_when: true

- name: Make sure manual pages and bash are installed on Alpine
ansible.builtin.package:
name:
- mandoc
- man-pages
- openssh-doc
- bash
state: present
when:
- ansible_facts['distribution'] == "Alpine"

- name: Make sure manual pages, gawk and bash are installed
package:
name:
Expand All @@ -65,6 +76,8 @@
state: present
use: "{{ (__ssh_is_ostree | d(false)) |
ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
when:
- ansible_facts['distribution'] != "Alpine"

- name: Check if ssh_config man page is available
command: man -w ssh_config
Expand All @@ -79,6 +92,7 @@
- name: Get list of options from manual page
shell: >-
set -o pipefail && man ssh_config \
| sed 's/\x08.//g' \
| grep -o '^\( \| \)[A-Z][A-Za-z0-9]*\(.\| \)' \
| grep -v "[A-Za-z0-9] $" | grep -v "[^A-Za-z0-9 ]$" \
| awk '{ print $1 }' \
Expand Down
1 change: 1 addition & 0 deletions tests/tests_no_skip_defaults.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
{% if ansible_facts['os_family'] in ['Ubuntu', 'Debian'] %}
HashKnownHosts yes
{% elif ansible_facts['os_family'] == 'Suse' or
ansible_facts['os_family'] == 'Alpine' or
ansible_facts['distribution'] == 'Fedora' or
(ansible_facts['distribution'] in ['RedHat', 'CentOS'] and
ansible_facts['distribution_version'] | int >= 8) %}
Expand Down
9 changes: 9 additions & 0 deletions vars/Alpine.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
__ssh_packages: ['openssh-client-default']

__ssh_supports_drop_in: true
__ssh_drop_in_name: "00-ansible"

# This default lists the main configuration file defaults
__ssh_defaults:
Include: /etc/ssh/ssh_config.d/*.conf
15 changes: 15 additions & 0 deletions vars/Ubuntu_26.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
__ssh_packages: ['openssh-client']

# This system supports drop in directory so defaults are adjusted
__ssh_supports_drop_in: true
__ssh_drop_in_name: "00-ansible"

# This default lists the main configuration file defaults
__ssh_defaults:
Include: /etc/ssh/ssh_config.d/*.conf
Host:
- Condition: "*"
SendEnv: LANG LC_* COLORTERM NO_COLOR
HashKnownHosts: true
GSSAPIAuthentication: true
Loading