[tox]
envlist = ansible, security
skipsdist = true

[testenv]
require_locked_deps = true
require_poetry = true
setenv =
    ANSIBLE_CONFIG = {toxinidir}/ansible.cfg
whitelist_externals =
    bash

[testenv:ansible]
description = Lint ansible resources
locked_deps =
    ansible-core
    ansible-lint
    yamllint
    pre-commit
    pre-commit-hooks
    mdformat
    mdformat-gfm
commands =
    yamllint --config-file {toxinidir}/.yamllintrc.yaml \
      {toxinidir}/skylab/ \
      {toxinidir}/inventory.yaml \
      {toxinidir}/requirements.yaml
    bash -c "ansible-lint -c {toxinidir}/.ansible-lint.yaml \
      {toxinidir}/skylab/*/playbooks/"
    pre-commit run --all-files

[testenv:security]
description = Check security parameters
ignore_errors = true
locked_deps =
    poetry
    safety
commands =
    poetry export --format requirements.txt --without-hashes --with dev --output {envtmpdir}/req.txt
    safety check --output text --file {envtmpdir}/req.txt \
        # Ignore unfixed CVE-2021-3532 from ansible \
        --ignore 42923 \
        # https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565
        --ignore 51457