name: Lint Ansible play books

on:
  workflow_call:

jobs:
  lint-ansible:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          submodules: recursive
          sparse-checkout: |
            ansible
            pyproject.toml
            uv.lock

      - name: Install uv
        uses: astral-sh/setup-uv@v6
        with:
          enable-cache: true
          cache-dependency-glob: "uv.lock"
          activate-environment: true

      - name: Install dependencies
        run: uv sync --frozen --only-group ansible

      - name: Cache Ansible dependencies
        id: cache-ansible
        uses: actions/cache@v4
        with:
          path: ansible/.ansible
          key: ansible-${{ runner.os }}-${{ hashFiles('pyproject.toml', 'uv.lock', 'ansible/roles/requirements.yml') }}

      - name: Install Ansible Galaxy dependencies
        run: cd ansible && ansible-galaxy install -r roles/requirements.yml

      - name: Run ansible lint
        run: |
          cd ansible
          # Remove any Vaulted files and Vault configuration
          grep -R '$ANSIBLE_VAULT;' --files-with-matches . | xargs rm
          sed --in-place '/vault_password_file/d' ansible.cfg
          ansible-lint --exclude .ansible