EESSI · bedroge · Jun 20, 2025 · Jun 20, 2025 · Jun 20, 2025 · Jun 20, 2025
diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml
@@ -11,51 +11,51 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    # Important: This sets up your GITHUB_WORKSPACE environment variable
-    - name: checkout
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      # Important: This sets up your GITHUB_WORKSPACE environment variable
+      - name: checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Lint Ansible Playbook
-      # replace "master" with any valid ref
-      uses: ansible/ansible-lint-action@27c37f9001153675ee6abcadcd722bcbdafaba08 # v6.8.2
-      with:
-        # [required]
-        # Paths to ansible files (i.e., playbooks, tasks, handlers etc..)
-        # or valid Ansible directories according to the Ansible role
-        # directory structure.
-        # If you want to lint multiple ansible files, use the following syntax
-        # targets: |
-        #   playbook_1.yml
-        #   playbook_2.yml
-        targets: "*.yml inventory/group_vars/*.yml"
-        # [optional]
-        # Arguments to override a package and its version to be set explicitly.
-        # Must follow the example syntax.
-        # stick to older version of rich, as the new one is not compatible (yet) with ansible-lint
-        override-deps: |
-          rich>=9.5.1,<11.0.0
-        #  ansible==2.9
-        #  ansible-lint==4.2.0
-        # [optional]
-        # Arguments to be passed to the ansible-lint
+      - name: Lint Ansible Playbook
+        # replace "master" with any valid ref
+        uses: ansible/ansible-lint@4114ad63edbc25dcd9afc4f41b29dbcbebdf21ca # v25.5.0
+        with:
+          # [required]
+          # Paths to ansible files (i.e., playbooks, tasks, handlers etc..)
+          # or valid Ansible directories according to the Ansible role
+          # directory structure.
+          # If you want to lint multiple ansible files, use the following syntax
+          # targets: |
+          #   playbook_1.yml
+          #   playbook_2.yml
+          # targets: "*.yml inventory/group_vars/*.yml"
+          # [optional]
+          # Arguments to override a package and its version to be set explicitly.
+          # Must follow the example syntax.
+          # stick to older version of rich, as the new one is not compatible (yet) with ansible-lint
+          # override-deps: |
+          #  rich>=9.5.1,<11.0.0
+          #  ansible==2.9
+          #  ansible-lint==4.2.0
+          # [optional]
+          # Arguments to be passed to the ansible-lint
 
-        # Options:
-        #   -q                    quieter, although not silent output
-        #   -p                    parseable output in the format of pep8
-        #   --parseable-severity  parseable output including severity of rule
-        #   -r RULESDIR           specify one or more rules directories using one or
-        #                         more -r arguments. Any -r flags override the default
-        #                         rules in ansiblelint/rules, unless -R is also used.
-        #   -R                    Use default rules in ansiblelint/rules in addition to
-        #                         any extra
-        #                         rules directories specified with -r. There is no need
-        #                         to specify this if no -r flags are used
-        #   -t TAGS               only check rules whose id/tags match these values
-        #   -x SKIP_LIST          only check rules whose id/tags do not match these
-        #                         values
-        #   --nocolor             disable colored output
-        #   --exclude=EXCLUDE_PATHS
-        #                         path to directories or files to skip. This option is
-        #                         repeatable.
-        #   -c C                  Specify configuration file to use. Defaults to ".ansible-lint"
-        args: ""
+          # Options:
+          #   -q                    quieter, although not silent output
+          #   -p                    parseable output in the format of pep8
+          #   --parseable-severity  parseable output including severity of rule
+          #   -r RULESDIR           specify one or more rules directories using one or
+          #                         more -r arguments. Any -r flags override the default
+          #                         rules in ansiblelint/rules, unless -R is also used.
+          #   -R                    Use default rules in ansiblelint/rules in addition to
+          #                         any extra
+          #                         rules directories specified with -r. There is no need
+          #                         to specify this if no -r flags are used
+          #   -t TAGS               only check rules whose id/tags match these values
+          #   -x SKIP_LIST          only check rules whose id/tags do not match these
+          #                         values
+          #   --nocolor             disable colored output
+          #   --exclude=EXCLUDE_PATHS
+          #                         path to directories or files to skip. This option is
+          #                         repeatable.
+          #   -c C                  Specify configuration file to use. Defaults to ".ansible-lint"
+          args: ""
diff --git a/.github/workflows/build-publish-containers.yml b/.github/workflows/build-publish-containers.yml
@@ -25,7 +25,7 @@ permissions: read-all
 jobs:
   build_and_publish:
     name: Build and publish image
-    #runs-on: self-hosted
+    # runs-on: self-hosted
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 720
     permissions:
@@ -77,7 +77,7 @@ jobs:
           echo DOCKERFILE=Dockerfile.EESSI-${tag//:/-} >> $GITHUB_ENV
 
       - name: Build and push to GitHub Packages
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 #v3.2.0
+        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
         with:
           tags: ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-${{ matrix.platform }}
           file: containers/${{ env.DOCKERFILE }}

diff --git a/.github/workflows/build-test-release-client-packages.yml b/.github/workflows/build-test-release-client-packages.yml
@@ -49,19 +49,25 @@ jobs:
         uses: bpicode/github-action-fpm@7502b06a5a58390398d4002bd284f8cb3caae6eb
         with:
           fpm_args: "etc"
-          fpm_opts: "--debug -n cvmfs-config-eessi -v ${{ steps.get_version.outputs.version }} -t rpm -a all -s dir -C ./package --description 'CVMFS configuration package for EESSI.'"
+          fpm_opts: >
+            --debug -n cvmfs-config-eessi -v ${{ steps.get_version.outputs.version }} -t rpm -a all -s dir
+            -C ./package --description 'CVMFS configuration package for EESSI.'
 
       - name: Build Deb package
         uses: bpicode/github-action-fpm@7502b06a5a58390398d4002bd284f8cb3caae6eb
         with:
           fpm_args: "etc"
-          fpm_opts: "--debug -n cvmfs-config-eessi -v ${{ steps.get_version.outputs.version }} -t deb -a all -s dir -C ./package --description 'CVMFS configuration package for EESSI.'"
+          fpm_opts: >
+            --debug -n cvmfs-config-eessi -v ${{ steps.get_version.outputs.version }} -t deb -a all -s dir
+            -C ./package --description 'CVMFS configuration package for EESSI.'
 
       - name: Build tar package
         uses: bpicode/github-action-fpm@7502b06a5a58390398d4002bd284f8cb3caae6eb
         with:
           fpm_args: "etc"
-          fpm_opts: "--debug -n cvmfs-config-eessi-${{ steps.get_version.outputs.version }} -t tar -a all -s dir -C ./package --description 'CVMFS configuration package for EESSI.'"
+          fpm_opts: >
+            --debug -n cvmfs-config-eessi-${{ steps.get_version.outputs.version }} -t tar -a all -s dir
+            -C ./package --description 'CVMFS configuration package for EESSI.'
 
       - name: Upload packages as build artifacts
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -103,7 +109,9 @@ jobs:
 #        run: gem install --no-document fpm
 #
 #      - name: Build package
-#        run: "fpm --debug -n cvmfs-config-eessi -v ${{ steps.get_version.outputs.version }} -t osxpkg -a all -s dir -C ./package --description 'CVMFS configuration package for EESSI.' etc"
+#        run: >
+#          fpm --debug -n cvmfs-config-eessi -v ${{ steps.get_version.outputs.version }} -t osxpkg -a all -s dir
+#          -C ./package --description 'CVMFS configuration package for EESSI.' etc
 #
 #      - name: Find filename of generated package
 #        id: find_filename
@@ -192,7 +200,7 @@ jobs:
         run: echo "CVMFS_CLIENT_PROFILE=single" | tee /etc/cvmfs/default.local
 
       - name: Mount the repositories
-        #run: cvmfs_config setup
+        # run: cvmfs_config setup
         run: mkdir -p /cvmfs/software.eessi.io && mount -t cvmfs software.eessi.io /cvmfs/software.eessi.io
 
       - name: Test repository access
@@ -273,7 +281,7 @@ jobs:
 #        run: ls /Users/Shared/cvmfs/software.eessi.io/
 
   release:
-    #needs: [build-linux-packages, build-macos-package, test-deb-package, test-rpm-package, test-macos-package, test-tar-package]
+    # needs: [build-linux-packages, build-macos-package, test-deb-package, test-rpm-package, test-macos-package, test-tar-package]
     needs: [build-linux-packages, test-deb-package, test-rpm-package, test-tar-package]
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
@@ -351,8 +359,10 @@ jobs:
           tag: latest
           name: Filesystem Layer latest release
           body: |
-            Filesystem Layer release ${{ steps.find_version.outputs.version }} (see: https://github.com/${{github.repository}}/releases/tag/${{ steps.find_version.outputs.version }})
+            Filesystem Layer release ${{ steps.find_version.outputs.version }}
+            (see: https://github.com/${{github.repository}}/releases/tag/${{ steps.find_version.outputs.version }})
 
-            This `latest` tag is a moving tag that is updated automatically for each release, and provides easy access to the latest `cvmfs-config-eessi` packages.
+            This `latest` tag is a moving tag that is updated automatically for each release,
+            and provides easy access to the latest `cvmfs-config-eessi` packages.
           files: ${{ steps.find_filenames.outputs.package_filenames }}
           gzip: false
diff --git a/.github/workflows/check-stratum-servers.yml b/.github/workflows/check-stratum-servers.yml
@@ -9,7 +9,7 @@ on:
       - main
   schedule:
     # * is a special character in YAML so you have to quote this string
-    - cron:  '30 5 * * *'
+    - cron: '30 5 * * *'
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -39,4 +39,4 @@ jobs:
           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
           SLACK_MESSAGE: ${{ env.STRATUM_ERRORS }}
           SLACK_COLOR: 'danger'
-          SLACK_FOOTER: 
+          SLACK_FOOTER:
diff --git a/.github/workflows/test-playbooks.yml b/.github/workflows/test-playbooks.yml
@@ -1,4 +1,4 @@
-name: Test Ansible Playbooks
+name: Test Ansible Playbooks # noqa: syntax-check[specific]
 
 on:
   push:

diff --git a/prepare-client-packages.yml b/prepare-client-packages.yml
@@ -9,19 +9,19 @@
     package_source_dir: "{{ lookup('env', 'GITHUB_WORKSPACE') | default('/tmp', True) }}/package"
   tasks:
     - name: Check the number of defined domains (should be one!)
-      fail:
+      ansible.builtin.fail:
         msg: "Cannot build a client package when eessi_cvmfs_server_urls contains different domains"
       when: eessi_cvmfs_server_urls | selectattr('domain') | list | unique | count > 1
 
     - name: Determine domain name
-      set_fact:
+      ansible.builtin.set_fact:
         eessi_domain: "{{ eessi_cvmfs_server_urls[0].domain }}"
 
     - name: Create directory structure for the CVMFS config
-      file:
+      ansible.builtin.file:
         path: "{{ item }}"
         state: directory
-        mode: 0775
+        mode: "0775"
       with_items:
         - "{{ package_source_dir }}"
         - "{{ package_source_dir }}/etc"
@@ -31,17 +31,17 @@
         - "{{ package_source_dir }}/etc/cvmfs/domain.d"
 
     - name: Make EESSI CVMFS public key files
-      copy:
+      ansible.builtin.copy:
         content: "{{ item.key }}"
         dest: "{{ package_source_dir }}{{ item.path }}"
-        mode: 0644
+        mode: "0644"
       with_items: "{{ eessi_cvmfs_keys }}"
 
     - name: Make EESSI CVMFS domain configuration file
-      copy:
+      ansible.builtin.copy:
         content: |
           # Stratum 1 servers for the eessi.io domain
-          CVMFS_SERVER_URL="{{ item.urls|join(';') }}"
+          CVMFS_SERVER_URL="{{ item.urls | join(';') }}"
 
           # Public keys for the eessi.io domain
           CVMFS_KEYS_DIR="/etc/cvmfs/keys/{{ item.domain }}"
@@ -59,5 +59,5 @@
           fi
 
         dest: "{{ package_source_dir }}/etc/cvmfs/domain.d/{{ item.domain }}.conf"
-        mode: 0644
+        mode: "0644"
       with_items: "{{ eessi_cvmfs_server_urls }}"
diff --git a/requirements.yml b/requirements.yml
@@ -1,11 +1,12 @@
 ---
-
 # ansible-galaxy role install -r requirements.yml
 roles:
-
   - name: eessi.cvmfs
     src: https://github.com/EESSI/ansible-cvmfs
     version: 34b6e07
-
   - name: geerlingguy.repo-epel
-    version: 3.0.0
+    version: 3.1.1
+
+collections:
+  - name: community.general
+    version: '>=8.6.1'
diff --git a/roles/create_cvmfs_content_structure/defaults/main.yml b/roles/create_cvmfs_content_structure/defaults/main.yml
@@ -1,3 +1,3 @@
-cvmfs_start_transaction: true
-cvmfs_publish_transaction: true
-cvmfs_abort_transaction_on_failures: true
+create_cvmfs_content_structure_start_transaction: true
+create_cvmfs_content_structure_publish_transaction: true
+create_cvmfs_content_structure_abort_transaction_on_failures: true
diff --git a/roles/create_cvmfs_content_structure/tasks/do_repo.yml b/roles/create_cvmfs_content_structure/tasks/do_repo.yml
@@ -5,44 +5,54 @@
   ansible.builtin.include_vars: "{{ cvmfs_repo }}.yml"
 
 - name: Start transaction
-  ansible.builtin.command: "cvmfs_server transaction {{ cvmfs_repo }}"
-  when: cvmfs_start_transaction
+  ansible.builtin.command:
+    cmd: "cvmfs_server transaction {{ cvmfs_repo }}"
+    creates: "/var/spool/cvmfs/{{ cvmfs_repo }}/in_transaction.lock"
+  when: create_cvmfs_content_structure_start_transaction
 
 - name: Apply changes to CVMFS repository, if there are any
   block:
-  - name: "Create symlinks"
-    ansible.builtin.file:
-      path: "/cvmfs/{{ cvmfs_repo }}/{{ item }}"
-      src: "{{ symlinks[item] }}"
-      state: link
-      force: true
-    with_items: "{{ symlinks }}"
-    register: create_symlinks
-
-  - name: "Copy files"
-    ansible.builtin.copy:
-      src: "{{ item.name }}"
-      dest: "/cvmfs/{{ cvmfs_repo }}/{{ item.dest }}"
-      mode: "{{ item.mode }}"
-    with_items: "{{ files }}"
-    register: create_files
-
-  - name: Publish transaction
-    ansible.builtin.command: "cvmfs_server publish {{ cvmfs_repo }}"
-    when:
-      - cvmfs_start_transaction
-      - cvmfs_publish_transaction
-      - create_symlinks.changed or create_files.changed
-    register: publish
-
-  - name: Abort transaction
-    ansible.builtin.command: "cvmfs_server abort {{ cvmfs_repo }}"
-    when: publish is skipped
+    - name: "Create symlinks"
+      ansible.builtin.file:
+        path: "/cvmfs/{{ cvmfs_repo }}/{{ item }}"
+        src: "{{ symlinks[item] }}"
+        state: link
+        force: true
+      with_items: "{{ symlinks }}"
+      register: create_symlinks
+
+    - name: "Copy files"
+      ansible.builtin.copy:
+        src: "{{ item.name }}"
+        dest: "/cvmfs/{{ cvmfs_repo }}/{{ item.dest }}"
+        mode: "{{ item.mode }}"
+      with_items: "{{ files }}"
+      register: create_files
+
+    - name: Publish transaction
+      ansible.builtin.command:
+        cmd: "cvmfs_server publish {{ cvmfs_repo }}"
+        removes: "/var/spool/cvmfs/{{ cvmfs_repo }}/in_transaction.lock"
+      when:
+        - create_cvmfs_content_structure_start_transaction
+        - create_cvmfs_content_structure_publish_transaction
+        - create_symlinks.changed or create_files.changed
+      register: publish
+
+    - name: Abort transaction
+      ansible.builtin.command:
+        cmd: "cvmfs_server abort {{ cvmfs_repo }}"
+        removes: "/var/spool/cvmfs/{{ cvmfs_repo }}/in_transaction.lock"
+      when: publish is skipped
 
   rescue:
     - name: Abort transaction
-      ansible.builtin.command: "cvmfs_server abort {{ cvmfs_repo }}"
-      when: cvmfs_start_transaction and cvmfs_abort_transaction_on_failures
+      ansible.builtin.command:
+        cmd: "cvmfs_server abort {{ cvmfs_repo }}"
+        removes: "/var/spool/cvmfs/{{ cvmfs_repo }}/in_transaction.lock"
+      when:
+        - create_cvmfs_content_structure_start_transaction
+        - create_cvmfs_content_structure_abort_transaction_on_failures
 
     - name: Exit because of failure
       ansible.builtin.fail:

diff --git a/roles/create_cvmfs_content_structure/vars/pilot.eessi-hpc.org.yml b/roles/create_cvmfs_content_structure/vars/pilot.eessi-hpc.org.yml
@@ -1,11 +1,11 @@
 # Specifications of files and symlinks for the pilot.eessi-hpc.org CVMFS repository.
 # Paths for files and symlinks should be relative to the root of the repository.
 ---
-files:
+files: # noqa: var-naming[no-role-prefix]
   - name: .cvmfsdirtab
     dest: ''
     mode: '644'
 
-symlinks:
+symlinks:  # noqa: var-naming[no-role-prefix]
   latest: versions/2021.12
   host_injections: '$(EESSI_HOST_INJECTIONS:-/opt/eessi)'