ci: Use generalized action to test against different distributions

[spetrosi]

Enhancement: Use single GH action to test on container images

Reason: The fleet of GH actions testing against different container images was not maintainable.

Result: On this role side, all code is in one workflow file.

Issue Tracker Tickets (Jira or BZ if any): -

Summary by Sourcery

Unify Ansible CI into a single container-based workflow while extending role support and tests for Alpine and newer Ubuntu, and exposing additional ssh_config options.

New Features:

• Add a generalized GitHub Actions workflow that runs Ansible role tests across multiple container distributions including Alpine, CentOS Stream, Debian, Fedora, and Ubuntu.
• Introduce ssh_config support for RefuseConnection and WarnWeakCrypto options in both host and match blocks.
• Add distribution-specific variable files for Alpine and Ubuntu 26 to define SSH client packages and default drop-in configuration behavior.

Bug Fixes:

• Ensure ssh_config option extraction in tests handles backspace formatting from man pages to improve robustness across distributions.

Enhancements:

• Update test playbooks to install required manual page and shell packages on Alpine and adjust expectations for ssh_config include directives and helper packages on Alpine-based systems.
• Broaden test setup conditions to include Alpine and reflect its SSH defaults and package naming.

CI:

• Replace multiple distribution-specific Ansible GitHub workflows with a single matrix-based workflow that runs tests against various container images, with opt-out via [citest_skip] in titles or commit messages.

Tests:

• Expand test coverage and setup logic to properly exercise the role on Alpine and updated Ubuntu environments, including man-page availability and config include behavior.

Chores:

• Add a CodeRabbit configuration file defining review behavior, PR title/description conventions, and path-specific review guidelines.

[spetrosi]

Created in wrong repository, should be in fork

[sourcery-ai]

Reviewer's Guide

Consolidates CI testing into a single generalized GitHub Actions workflow that runs the Ansible SSH role tests across multiple container distributions (including new Alpine and Ubuntu 26 support), while aligning test expectations, role templates, and vars with the behavior of those distributions and adding a CodeRabbit configuration file.

File-Level Changes

Change	Details	Files
Add unified container‑based CI workflow and remove per‑distro workflows.	Introduce .github/workflows/ansible-check.yml that runs tests against a matrix of container images (Alpine, CentOS Stream 8/9/10, Debian, Fedora, Ubuntu). Configure the workflow to use Jakuje/check-ansible-action for running tests/tests_*.yml with ANSIBLE_INJECT_FACT_VARS disabled by default. Respect a [citest_skip] marker in PR titles and commit messages to bypass CI runs. Remove the old distro-specific workflows for CentOS, Debian, Fedora, and Ubuntu.	.github/workflows/ansible-check.yml .github/workflows/ansible-centos.yml .github/workflows/ansible-debian.yml .github/workflows/ansible-fedora.yml .github/workflows/ansible-ubuntu.yml
Adjust tests to handle Alpine-specific behavior and broaden distro coverage.	Install mandoc/man-pages/openssh-doc/bash explicitly on Alpine while keeping the generic package task for non-Alpine systems and gating it with a conditional. Normalize ssh_config man page parsing by stripping backspace overstrike sequences via sed before grepping options. Allow tests to run on Alpine by extending distribution conditionals in tests/tasks/setup.yml. Provide Alpine-specific additional package selection (openssh-sk-helper) and ssh_config expectations (include /etc/ssh/ssh_config.d/).	tests/tests_all_options.yml tests/tasks/setup.yml tests/tests_additional_packages.yml tests/tests_no_skip_defaults.yml
Extend SSH config template to support additional options now present in newer OpenSSH versions.	Render RefuseConnection and WarnWeakCrypto options for Match blocks based on match variables. Render RefuseConnection and WarnWeakCrypto options in Host blocks based on host variables. Support RefuseConnection and WarnWeakCrypto at the top-level Host body using corresponding ssh_* variables.	templates/ssh_config.j2
Add distro-specific vars for Alpine and future Ubuntu 26 behavior.	Define Alpine vars with appropriate package name (openssh-client-default), enabling drop-in directory support and setting defaults that include /etc/ssh/ssh_config.d/*.conf. Define Ubuntu_26 vars to support the drop-in directory model and updated ssh_config defaults (Include directive and default Host settings).	vars/Alpine.yml vars/Ubuntu_26.yml
Introduce CodeRabbit configuration to codify review policies and role conventions.	Add .coderabbit.yaml that configures CodeRabbit behavior, enforces Conventional Commits PR titles, and requires PR descriptions to follow the project template. Embed path-specific review instructions for tasks, handlers, tests, templates, vars/defaults, Python code, and documentation aligned with linux-system-roles standards.	.coderabbit.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The Alpine default __ssh_defaults.Include points to /etc/ssh/ssh_config.d/*.conf, but the Alpine assertion in tests/tests_no_skip_defaults.yml expects Include /etc/ssh/ssh_config.d/ without the glob; consider aligning these paths so the defaults and tests reflect the same behavior.
• The new CI workflow uses Jakuje/check-ansible-action@main; consider pinning this action to a specific tag or commit SHA to avoid unexpected behavior from upstream changes.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The Alpine default `__ssh_defaults.Include` points to `/etc/ssh/ssh_config.d/*.conf`, but the Alpine assertion in `tests/tests_no_skip_defaults.yml` expects `Include /etc/ssh/ssh_config.d/` without the glob; consider aligning these paths so the defaults and tests reflect the same behavior.
- The new CI workflow uses `Jakuje/check-ansible-action@main`; consider pinning this action to a specific tag or commit SHA to avoid unexpected behavior from upstream changes.

## Individual Comments

### Comment 1
<location path=".github/workflows/ansible-check.yml" line_range="31" />
<code_context>
-    runs-on: ubuntu-latest
-    steps:
-      - name: checkout PR
-        uses: actions/checkout@v6
-
-      - run: "sed -i -e 's/ansible.posix.//g' */*.yml */*/*.yml"
</code_context>
<issue_to_address>
**issue (bug_risk):** Pin actions/checkout to a stable major version instead of v6, which does not exist yet.

`actions/checkout` is only published up to `v4`, so `@v6` will cause this workflow to fail. Please change it to a supported major version (e.g. `actions/checkout@v4`) or pin to a specific commit SHA.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Pin actions/checkout to a stable major version instead of v6, which does not exist yet.

actions/checkout is only published up to v4, so @v6 will cause this workflow to fail. Please change it to a supported major version (e.g. actions/checkout@v4) or pin to a specific commit SHA.