Add ansible-lint, update hatch environments and pre-commit

.ansible-lint

@@ -0,0 +1,19 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+profile: production
+quiet: true
+strict: true
+verbosity: 1
+offline: true

.ansible-lint-ignore

@@ -0,0 +1,13 @@
+# Copyright 2025 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

.config/molecule/config.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

.github/workflows/label_pr.yml

@@ -55,7 +55,7 @@ jobs:
             let fs = require('fs');
             fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr_number.zip`, Buffer.from(download.data));
 
-      - name: 'Unzip artifact'
+      - name: "Unzip artifact"
         run: unzip pr_number.zip
 
       - name: Read the PR number

.github/workflows/pre-commit.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -18,11 +19,10 @@ on:
   pull_request:
   push:
     branches: [main, devel]
-
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
-    - uses: pre-commit/[email protected]
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+      - uses: pre-commit/[email protected]

.github/workflows/publish_docs.yml

@@ -19,10 +19,9 @@ name: Publish documentation
 on:
   push:
     branches:
-      - 'main'
+      - "main"
 
   workflow_dispatch:
-
 jobs:
   build-ansible-docs:
     name: Build Ansible Docs

.github/workflows/publish_galaxy.yml

@@ -19,7 +19,6 @@ name: Publish to Ansible Galaxy
 on:
   release:
     types: [published]
-
 jobs:
   galaxy_release:
     runs-on: ubuntu-latest

.github/workflows/reset_pr.yml

@@ -23,9 +23,9 @@ on:
       - synchronize
       - ready_for_review
     branches:
-      - 'release/**'
-      - 'devel'
-      - 'devel-pvc-base'
+      - "release/**"
+      - "devel"
+      - "devel-pvc-base"
 
 jobs:
   reset:

.github/workflows/validate_pr.yml

@@ -19,8 +19,8 @@ name: Validate Pull Request
 on:
   pull_request:
     branches:
-      - 'release/**'
-      - 'devel'
+      - "release/**"
+      - "devel"
 
 jobs:
   validate:
@@ -32,8 +32,8 @@ jobs:
       - name: Setup Python and caching
         uses: actions/setup-python@v4
         with:
-          python-version: '3.9'
-          cache: 'pip'
+          python-version: "3.9"
+          cache: "pip"
 
       - name: Set up Ansible collections
         run: |

.github/workflows/validate_pr_docs.yml

@@ -19,15 +19,14 @@ name: Validate Pull Request documentation
 on:
   pull_request:
     branches:
-      - 'release/**'
-      - 'devel'
+      - "release/**"
+      - "devel"
 
   workflow_dispatch:
-
 jobs:
   validate-docs:
     name: Validate Ansible Docs
-    uses: cloudera-labs/github-actions/.github/workflows/lint-ansible-docs.yml@v1
+    uses: cloudera-labs/github-actions/.github/workflows/lint-ansible-docs.yml@v2
     with:
       antsibull-log-upload: true
       collection-namespace: cloudera

.gitignore

@@ -164,3 +164,6 @@ cython_debug/
 
 # UV package manager
 uv.lock
+
+# Ansible tests
+.ansible

.pre-commit-config.yaml

@@ -1,4 +1,5 @@
-# Copyright 2024 Cloudera, Inc.
+---
+# Copyright 2025 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,13 +15,34 @@
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v3.2.0
+    rev: v5.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: check-yaml
+      - id: check-toml
+      - id: check-json
       - id: check-added-large-files
+      - id: check-case-conflict
+      - id: check-docstring-first
+      - id: check-merge-conflict
+      - id: check-symlinks
+      - id: debug-statements
+      - id: detect-aws-credentials
+        args:
+          - --allow-missing-credentials
+      - id: detect-private-key
+      - id: forbid-submodules
+      # - id: name-tests-test
+  - repo: https://github.com/asottile/add-trailing-comma.git
+    rev: v3.2.0
+    hooks:
+      - id: add-trailing-comma
+        name: ensure trailing commas
+        args:
+          - --py36-plus
   - repo: https://github.com/psf/black
-    rev: 22.10.0
+    rev: 25.1.0
     hooks:
       - id: black
+        name: lint python

docs/configuration.yml

@@ -81,7 +81,7 @@ df:
           parameters:
             - name:
               value:
-              assetReferences: [str, ...]
+              assetReferences: [str, "..."]
       kpis:
         - metricId:
           componentId:
@@ -505,5 +505,5 @@ data:
     aws:
       suffix:
   teardown:
-      delete_policies:
-      delete_roles:
+    delete_policies:
+    delete_roles:

docs/links.yml

@@ -3,7 +3,7 @@
 edit_on_github:
   repository: cloudera-labs/cloudera.exe
   branch: main
-  path_prefix: ''
+  path_prefix: ""
 
 extra_links:
   - description: Submit a bug report

extensions/molecule/default/converge.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,7 +15,7 @@
 
 - name: Default test
   hosts: all
-  gather_facts: yes
+  gather_facts: true
   tasks:
     - name: Heartbeat
       ansible.builtin.ping:

extensions/molecule/default/molecule.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

extensions/molecule/default/requirements.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

extensions/molecule/rdbms_server_postgresql_14/molecule.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

extensions/molecule/rdbms_server_postgresql_14/requirements.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

extensions/molecule/rdbms_server_postgresql_14_tls/cleanup.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,7 +16,7 @@
 - name: Remove CA certificate
   hosts: localhost
   connection: local
-  gather_facts: no
+  gather_facts: false
   tasks:
     - name: Remove CA private key
       ansible.builtin.file:

extensions/molecule/rdbms_server_postgresql_14_tls/prepare.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,15 +20,15 @@
     - name: Create CA private key
       community.crypto.openssl_privatekey:
         path: ./ca-certificate.key
-        mode: 0600
+        mode: "0600"
 
     - name: Create CSR for CA certificate
       community.crypto.openssl_csr_pipe:
         privatekey_path: ca-certificate.key
         common_name: Molecule CA
         use_common_name_for_san: false
         basic_constraints:
-          - 'CA:TRUE'
+          - "CA:TRUE"
         basic_constraints_critical: true
         key_usage:
           - keyCertSign
@@ -40,11 +41,11 @@
         csr_content: "{{ __ca_csr.csr }}"
         privatekey_path: ca-certificate.key
         provider: selfsigned
-        mode: 0644
+        mode: "0644"
 
 - name: Set up TLS certificates
   hosts: all
-  gather_facts: yes
+  gather_facts: true
   tasks:
     - name: Update pip
       ansible.builtin.pip:
@@ -77,28 +78,28 @@
       ansible.builtin.file:
         path: /opt/security/pki
         state: directory
-        mode: 0755
+        mode: "0755"
 
     - name: Copy CA certificate from controller
       ansible.builtin.copy:
         src: ca-certificate.pem
         dest: /opt/security/pki/ca-certificate.pem
-        mode: 0644
+        mode: "0644"
 
     - name: Create host private key
       community.crypto.openssl_privatekey:
         path: /opt/security/pki/host.key
-        return_content: yes
+        return_content: true
         group: postgres
-        mode: 0640
+        mode: "0640"
       register: __key
 
     - name: Write unencrypted host private key
       ansible.builtin.copy:
         dest: /opt/security/pki/host.key.unenc
         content: "{{ __key.privatekey }}"
         group: postgres
-        mode: 0640
+        mode: "0640"
 
     - name: Create CSR for host certificate
       community.crypto.openssl_csr_pipe:
@@ -121,5 +122,5 @@
       ansible.builtin.copy:
         dest: /opt/security/pki/host.pem
         content: "{{ __cert.certificate }}"
-        mode: 0640
+        mode: "0640"
         group: postgres

extensions/molecule/rdbms_server_postgresql_14_tls/requirements.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

extensions/molecule/rdbms_server_postgresql_14_tls/verify.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,18 +15,18 @@
 
 - name: Confirm local database access
   hosts: all
-  gather_facts: no
+  gather_facts: false
   tasks:
     - name: Ping database locally
       community.postgresql.postgresql_ping:
-      become: yes
+      become: true
       become_user: postgres
       register: postgres_user
       failed_when: not postgres_user.is_available
 
 - name: Confirm external database access
   hosts: all
-  gather_facts: no
+  gather_facts: false
   tasks:
     - name: Ping database as authorized user
       community.postgresql.postgresql_ping:

extensions/molecule/rdbms_server_postgresql_default/converge.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

extensions/molecule/rdbms_server_postgresql_default/prepare.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,5 +15,5 @@
 
 - name: Set up TLS certificates
   hosts: all
-  gather_facts: yes
+  gather_facts: true
   tasks:

extensions/molecule/rdbms_server_postgresql_default/requirements.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2024 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");