Enable yamllint + key ordering + refresh super-linter (#874)

* enable yamllint + key ordering

key-ordering: ignore every file except dnf_repo_timestamps.yml

* yamllint: disable line-length for the moment

* make super-linter use the .yamllint.yml

* fix harmless yamllint warning 'on' is truthy value

* fix harmless yamllint warning about whitespaces

* fix harmless yamllint warning True for env var

* fix harmless yamllint warning missing eol at eof

* yamllint: ignore filebeat.yml: jinja syntax

* Bump super-linter 8.3.2

Disable BIOME linter

* Disable zizmor linter for now

It should be re-enabled later

* Markdown: remove empty line before lists

* Fix case for common terms (textlint)

* fix pylint and flake8 issues

* Markdown: ignore more rules

* fix black linting warnings

* Disable trivy for now

Author: elelaysh

.github/linters/.markdown-lint.yml

@@ -0,0 +1,28 @@
+---
+# Default state for all rules
+default: true
+
+# MD059/descriptive-link-text : Link text should be descriptive : https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md059.md
+# we often use [here](https://...)
+MD059: false
+
+# MD013/line-length : Line length : https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md013.md
+# we wrote without this rule, so don't reformat just for the sake of it now.
+MD013:
+  line_length: 524
+
+# MD024/no-duplicate-heading : Multiple headings with the same content : https://github.com/DavidAnson/markdownlint/blob/v0.40.0/doc/md024.md
+MD024:
+  # Only check sibling headings
+  siblings_only: true
+
+# MD029/ol-prefix
+# the linter gets confused by blocks of code
+MD029: false
+
+# MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines
+# doesn't matter to github renderer
+MD031: false
+
+# MD036/no-emphasis-as-heading Emphasis used instead of a heading
+MD036: false

.github/workflows/extra.yml

@@ -5,7 +5,7 @@
 # See the workflow file 'main.yml' for how this is CI triggered.
 
 name: Test extra build
-on:
+'on':
   workflow_call:
   workflow_dispatch:
 
@@ -25,14 +25,14 @@ jobs:
         build:
           - image_name: openhpc-extra-RL8
             source_image_name_key: RL8 # key into environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
-            inventory_groups: doca,cuda # lustre disabled due to https://github.com/stackhpc/ansible-slurm-appliance/pull/759 
+            inventory_groups: doca,cuda # lustre disabled due to https://github.com/stackhpc/ansible-slurm-appliance/pull/759
             volume_size: 35 # needed for cuda
           - image_name: openhpc-extra-RL9
             source_image_name_key: RL9
             inventory_groups: doca,cuda,lustre
             volume_size: 35 # needed for cuda
     env:
-      ANSIBLE_FORCE_COLOR: True
+      ANSIBLE_FORCE_COLOR: 'true'
       OS_CLOUD: openstack
       CI_CLOUD: ${{ vars.CI_CLOUD }} # default from repo settings
       ARK_PASSWORD: ${{ secrets.ARK_PASSWORD }}

.github/workflows/fatimage.yml

@@ -1,23 +1,23 @@
 name: Build fat image
-on:
+'on':
   workflow_dispatch:
-      # checkov:skip=CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
-      inputs:
-        ci_cloud:
-          description: 'Select the CI_CLOUD'
-          required: true
-          type: choice
-          options:
-            - default
-            - LEAFCLOUD
-            - SMS
-            - ARCUS
-          default: default # Use repo CI_CLOUD setting
-        cleanup_on_failure:
-          description: Cleanup Packer resources on failure
-          type: boolean
-          required: true
-          default: true
+    # checkov:skip=CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
+    inputs:
+      ci_cloud:
+        description: 'Select the CI_CLOUD'
+        required: true
+        type: choice
+        options:
+          - default
+          - LEAFCLOUD
+          - SMS
+          - ARCUS
+        default: default # Use repo CI_CLOUD setting
+      cleanup_on_failure:
+        description: Cleanup Packer resources on failure
+        type: boolean
+        required: true
+        default: true
 
 permissions:
   contents: read
@@ -43,7 +43,7 @@ jobs:
             source_image_name: Rocky-9-GenericCloud-Base-9.7-20251123.2.x86_64.qcow2
             inventory_groups: fatimage
     env:
-      ANSIBLE_FORCE_COLOR: True
+      ANSIBLE_FORCE_COLOR: 'true'
       OS_CLOUD: openstack
       CI_CLOUD: ${{ github.event.inputs.ci_cloud == 'default' && vars.CI_CLOUD || github.event.inputs.ci_cloud }}
       ARK_PASSWORD: ${{ secrets.ARK_PASSWORD }}

.github/workflows/lint.yml

@@ -1,7 +1,7 @@
 ---
 name: Lint
 
-on:  # yamllint disable-line rule:truthy
+'on':
   workflow_call:
 
 permissions:
@@ -43,7 +43,7 @@ jobs:
         if: always()
 
       - name: Run super-linter
-        uses: super-linter/super-linter@v7.3.0
+        uses: super-linter/super-linter@v8.3.2
         if: always()
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/main.yml

@@ -22,15 +22,15 @@ permissions:
   # upload trivy scan results
   security-events: write
 
-on:
+'on':
   push:
     branches:
       - main
   pull_request:
 
 concurrency:
-    group: ${{ github.workflow }}-${{ github.head_ref }}
-    cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 
 jobs:
   lint:
@@ -43,18 +43,18 @@ jobs:
     runs-on: ubuntu-24.04
     # Map a step output to a job output, this allows other jobs to be gated on the filter results
     outputs:
-        # The 'stackhpc' output will be 'true' if either of the two stackhpc filters below matched
-        stackhpc: ${{ toJson(fromJson(steps.filter_on_every.outputs.stackhpc) || fromJson(steps.filter_on_some.outputs.stackhpc)) }}
-        extra_on_push: ${{ steps.filter_on_some.outputs.extra_on_push }}
-        extra_on_pull_request: ${{ steps.filter_on_some.outputs.extra_on_pull_request }}
-        trivyscan: ${{ steps.filter_on_some.outputs.trivyscan }}
+      # The 'stackhpc' output will be 'true' if either of the two stackhpc filters below matched
+      stackhpc: ${{ toJson(fromJson(steps.filter_on_every.outputs.stackhpc) || fromJson(steps.filter_on_some.outputs.stackhpc)) }}
+      extra_on_push: ${{ steps.filter_on_some.outputs.extra_on_push }}
+      extra_on_pull_request: ${{ steps.filter_on_some.outputs.extra_on_pull_request }}
+      trivyscan: ${{ steps.filter_on_some.outputs.trivyscan }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
         # NOTE: We're detecting the changed files within a job so that we can gate execution of other jobs.
         #       We use dorny/paths-filter which doesn't work like the conventional 'paths' and 'paths_exclude',
-        #       we can't do the following: 
+        #       we can't do the following:
         # paths:
         #   - '**'
         #   - '!dev/**'

.github/workflows/nightly-cleanup.yml

@@ -1,5 +1,5 @@
 name: Cleanup CI clusters
-on:
+'on':
   workflow_dispatch:
   schedule:
     - cron: '0 21 * * *'  # Run at 9PM - image sync runs at midnight

.github/workflows/nightlybuild.yml

@@ -1,16 +1,16 @@
 name: Build nightly image
-on:
+'on':
   workflow_dispatch:
-      # checkov:skip=CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
-      inputs:
-        ci_cloud:
-          description: 'Select the CI_CLOUD'
-          required: true
-          type: choice
-          options:
-            - LEAFCLOUD
-            - SMS
-            - ARCUS
+    # checkov:skip=CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
+    inputs:
+      ci_cloud:
+        description: 'Select the CI_CLOUD'
+        required: true
+        type: choice
+        options:
+          - LEAFCLOUD
+          - SMS
+          - ARCUS
   # schedule:
   #   - cron: '0 0 * * *'  # Run at midnight on default branch
 
@@ -38,7 +38,7 @@ jobs:
             source_image_name: Rocky-9-GenericCloud-Base-9.4-20240523.0.x86_64.qcow2
             inventory_groups: update
     env:
-      ANSIBLE_FORCE_COLOR: True
+      ANSIBLE_FORCE_COLOR: 'true'
       OS_CLOUD: openstack
       CI_CLOUD: ${{ github.event.inputs.ci_cloud || vars.CI_CLOUD }}
       ARK_PASSWORD: ${{ secrets.ARK_PASSWORD }}

.github/workflows/release-image.yml

@@ -1,5 +1,5 @@
 name: Release images
-on:
+'on':
   workflow_dispatch:
   release:
     types:
@@ -34,11 +34,11 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get --yes install s3cmd
-      
+
       - name: Retrieve image name
         run: |
           TARGET_IMAGE=$(jq --arg version "${{ matrix.build }}" -r '.cluster_image[$version]' "${{ env.IMAGE_PATH }}")
           echo "TARGET_IMAGE=${TARGET_IMAGE}" >> "$GITHUB_ENV"
-      
+
       - name: Copy image from pre-release to release bucket
         run: s3cmd cp s3://openhpc-images-prerelease/${{ env.TARGET_IMAGE }} s3://openhpc-images

.github/workflows/s3-image-sync.yml

@@ -1,5 +1,5 @@
 name: Upload CI-tested images to Leafcloud S3 and sync clouds
-on:
+'on':
   workflow_dispatch:
   push:
     branches:
@@ -35,7 +35,7 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get --yes install s3cmd
-      
+
       - name: Cleanup S3 bucket
         run: |
           s3cmd rm s3://${{ env.S3_BUCKET }} --recursive --force
@@ -51,7 +51,7 @@ jobs:
           - RL8
           - RL9
     env:
-      ANSIBLE_FORCE_COLOR: True
+      ANSIBLE_FORCE_COLOR: 'true'
       OS_CLOUD: openstack
       CI_CLOUD: ${{ vars.CI_CLOUD }}
     outputs:
@@ -130,11 +130,11 @@ jobs:
         build:
           - RL8
           - RL9
-        exclude: 
+        exclude:
           - cloud: ${{ needs.image_upload.outputs.ci_cloud }}
 
     env:
-      ANSIBLE_FORCE_COLOR: True
+      ANSIBLE_FORCE_COLOR: 'true'
       OS_CLOUD: openstack
       CI_CLOUD: ${{ matrix.cloud }}
     steps:

.github/workflows/stackhpc.yml

@@ -5,7 +5,7 @@
 # See the workflow file 'main.yml' for how this is CI triggered.
 
 name: Test deployment and reimage on OpenStack
-on:
+'on':
   workflow_call:
   workflow_dispatch:
 
@@ -26,7 +26,7 @@ jobs:
           - RL8
           - RL9
     env:
-      ANSIBLE_FORCE_COLOR: True
+      ANSIBLE_FORCE_COLOR: 'true'
       OS_CLOUD: openstack
       TF_VAR_cluster_name: slurmci-${{ matrix.os_version }}-${{ github.run_number }}
       CI_CLOUD: ${{ vars.CI_CLOUD }} # default from repo settings
@@ -37,7 +37,7 @@ jobs:
       - name: Find the latest release
         run: |
           echo "LATEST_RELEASE_TAG=$(curl -s https://api.github.com/repos/stackhpc/ansible-slurm-appliance/releases/latest | jq -r .tag_name)" >> "$GITHUB_ENV"
-      
+
       - name: Checkout latest release
         uses: actions/checkout@v4
         with:
@@ -82,7 +82,7 @@ jobs:
       - name: Install ansible, pip and galaxy requirements
         run: dev/setup-env.sh
         env:
-           PYTHON_VERSION: python3 # overrides os-release discovery logic
+          PYTHON_VERSION: python3  # overrides os-release discovery logic
 
       - name: Install OpenTofu
         uses: opentofu/[email protected]
@@ -175,7 +175,7 @@ jobs:
           cd "$STACKHPC_TF_DIR"
           tofu init
           tofu apply -auto-approve -var-file="${{ env.CI_CLOUD }}.tfvars"
-          
+
       - name: Configure cluster using current branch
         run: |
           . venv/bin/activate
@@ -245,7 +245,7 @@ jobs:
       - name: Delete possible volume snapshot from slurm upgrade
         run: |
           . venv/bin/activate
-          . environments/.stackhpc/activate  
+          . environments/.stackhpc/activate
           if [ -n "$SNAPSHOT" ]
           then
               echo "Deleting $SNAPSHOT"