From c71f620c9bb091d74b7209ce91bb4f56df711d00 Mon Sep 17 00:00:00 2001
From: Petr Ruzicka <petr.ruzicka@gmail.com>
Date: Sat, 14 Sep 2024 10:52:29 -0700
Subject: [PATCH] feat: fix ci - molecule (#41)

---
 .ansible-lint                               | 4 ++--
 .github/renovate.json5                      | 4 +++-
 .github/workflows/mega-linter.yml           | 4 ++--
 .github/workflows/molecule.yml              | 1 -
 .github/workflows/release-please.yml        | 9 ++++++++-
 .github/workflows/renovate.yml              | 9 +++++----
 .github/workflows/semantic-pull-request.yml | 9 ++++++++-
 .github/workflows/stale.yml                 | 1 +
 .mega-linter.yml                            | 2 +-
 lychee.toml                                 | 3 ++-
 molecule/default/molecule.yml               | 4 +++-
 11 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/.ansible-lint b/.ansible-lint
index 529d2e0..48086ca 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -1,7 +1,7 @@
 skip_list:
   # Role name virtio-win does not match ``^[a-z][a-z0-9_]+$`` pattern
-  - 'role-name'
+  - "role-name"
   # Lines should be no longer than 160 chars
-  - 'yaml'
+  - "yaml"
 
 verbosity: 1
diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 1117e58..1a30636 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -1,14 +1,16 @@
 {
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  // Keep the extends started with ":" at the end of the list to allow overriding
   extends: [
     "config:recommended",
     "docker:pinDigests",
     "helpers:pinGitHubActionDigestsToSemver",
     "security:openssf-scorecard",
     ":disableDependencyDashboard",
-    ":docker",
     ":disableRateLimiting",
+    ":docker",
     ":enableVulnerabilityAlertsWithLabel(security)",
+    ":pinSkipCi",
   ],
   "git-submodules": {
     enabled: true,
diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
index 6436ed0..a14a537 100644
--- a/.github/workflows/mega-linter.yml
+++ b/.github/workflows/mega-linter.yml
@@ -34,12 +34,12 @@ jobs:
             # Extract:   ```bash ... ```
             sed -n "/^  \`\`\`\(bash\|shell\)$/,/^  \`\`\`$/p" "${FILE}" | sed '/^  ```*/d; s/^  //' >> README.sh
           done
-          ls -la README.sh
           chmod a+x README.sh
 
       - name: 💡 MegaLinter
         uses: oxsecurity/megalinter@5199c6377b4cb7faff749a1971636f3343db9fe6 # v7.12.0
         env:
           GITHUB_COMMENT_REPORTER: false
-          GITHUB_STATUS_REPORTER: true
+          # Disabled due to error: [GitHub Status Reporter] Error posting Status for REPOSITORY with ...: 403
+          GITHUB_STATUS_REPORTER: false
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml
index a706b91..7add3c7 100644
--- a/.github/workflows/molecule.yml
+++ b/.github/workflows/molecule.yml
@@ -19,7 +19,6 @@ jobs:
         distro:
           - ubuntu2204
           - ubuntu2004
-          - ubuntu1804
 
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 62a6629..4fe79c6 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -15,6 +15,13 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
-      - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1
+      - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        id: app-token
+        with:
+          app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
+          private-key: ${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}
+
+      - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
         with:
           release-type: simple
+          token: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index 6f8b8db..de29ba9 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -20,7 +20,7 @@ on:
       - main
       - "!renovate/*"
   schedule:
-    - cron: "0 0,2,4 * * 0"
+    - cron: "0 0-3 * * 0"
 
 env:
   # https://docs.renovatebot.com/troubleshooting/#log-debug-levels
@@ -45,17 +45,18 @@ jobs:
     runs-on: ubuntu-latest
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
+    permissions: write-all
     steps:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - uses: actions/create-github-app-token@3378cda945da322a8db4b193e19d46352ebe2de5 # v1.10.4
+      - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         id: app-token
         with:
           app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
-          private-key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}"
+          private-key: ${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}
 
       - name: 💡 Self-hosted Renovate
         uses: renovatebot/github-action@259200be4d976a76196ec8985b0dddcaf1733b47 # v40.2.0
         with:
-          token: "${{ steps.app-token.outputs.token }}"
+          token: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml
index f2f83cc..d71eec1 100644
--- a/.github/workflows/semantic-pull-request.yml
+++ b/.github/workflows/semantic-pull-request.yml
@@ -2,6 +2,7 @@
 name: semantic-pull-request
 
 on:
+  workflow_dispatch:
   pull_request_target:
     types:
       - opened
@@ -15,6 +16,12 @@ jobs:
   semantic-pull-request:
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        id: app-token
+        with:
+          app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
+          private-key: ${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}
+
       - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 6814ecf..5acceea 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -2,6 +2,7 @@
 name: stale
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: "9 9 * * *"
 
diff --git a/.mega-linter.yml b/.mega-linter.yml
index c39e545..7371838 100644
--- a/.mega-linter.yml
+++ b/.mega-linter.yml
@@ -35,7 +35,7 @@ REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS16
 
 REPOSITORY_KICS_ARGUMENTS: --fail-on high
 
-REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL
+REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL --ignore-unfixed
 
 TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES:
   - GITHUB_TOKEN
diff --git a/lychee.toml b/lychee.toml
index f48df19..182ae79 100644
--- a/lychee.toml
+++ b/lychee.toml
@@ -31,12 +31,13 @@ exclude = [
   # Ignore all URLs with '{ ... }' - BASH / Ansible variable in URL
   '%7B.*%7D',
   # Ignore all URLs which starts with 'file://'
-  'file://'
+  'file://',
 ]
 
 # Exclude these filesystem paths from getting checked
 exclude_path = [
   "CHANGELOG.md",
+  "package-lock.json",
 ]
 
 # Exclude all private IPs from checking.
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
index d291e5b..147da5d 100644
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -2,11 +2,13 @@
 role_name_check: 1
 dependency:
   name: galaxy
+  options:
+    ignore-errors: true
 driver:
   name: docker
 platforms:
   - name: instance
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux8}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw