From 2dbcac11a0c5897c29a3d368a51413113523cc5d Mon Sep 17 00:00:00 2001
From: sjat <sjat@ziethen.dk>
Date: Wed, 10 Jun 2026 12:51:30 +0200
Subject: [PATCH] chore(tooling): scope ansible-lint to ansible content; venv
 PATH in make test

Kaizen 2026-06-10 fixes:
- ansible-lint pre-commit hook now `always_run: false` + a files filter for
  roles/playbooks/inventories YAML, so docs-/config-only commits skip it and no
  longer need `rbw unlock` (root cause was ansible-lint auto-decrypting the
  group_vars vault, not the syntax-check).
- `make test`/`test-all` prepend $(CURDIR)/.venv/bin to PATH so non-activated
  agent runs find ansible-config/ansible-playbook.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .pre-commit-config.yaml | 9 +++++++++
 Makefile                | 4 ++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 39c4698..3fb52e4 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -19,6 +19,15 @@ repos:
     rev: v24.12.2  # keep in sync with requirements.txt
     hooks:
       - id: ansible-lint
+        # Only run on Ansible content. ansible-lint loads the play context, which
+        # auto-decrypts inventories/*/group_vars/all/vault.yml via the wired
+        # vault_password_file (→ rbw) — so it needs `rbw unlock`. The upstream hook is
+        # always_run+pass_filenames:false (lints the whole project, every commit); we
+        # override always_run:false and add a files filter so docs-/config-only commits
+        # skip it (no vault needed). pass_filenames stays false → still a project lint
+        # when any Ansible file is staged.
+        always_run: false
+        files: ^(roles|playbooks|inventories)/.*\.ya?ml$
         additional_dependencies:
           - ansible-core==2.17.*  # pin (not >=) — keep in sync with requirements.txt
 
diff --git a/Makefile b/Makefile
index 3f00912..1b4bca3 100644
--- a/Makefile
+++ b/Makefile
@@ -75,12 +75,12 @@ test:
 ifndef ROLE
 	$(error ROLE is required: make test ROLE=<rolename>)
 endif
-	cd roles/$(ROLE) && ../../$(MOLECULE) test
+	cd roles/$(ROLE) && PATH="$(CURDIR)/$(VENV)/bin:$$PATH" molecule test
 
 test-all:
 	@for role in roles/*/; do \
 	  echo "── Testing $$role ──"; \
-	  cd $$role && ../../$(MOLECULE) test; cd ../..; \
+	  cd $$role && PATH="$(CURDIR)/$(VENV)/bin:$$PATH" molecule test; cd ../..; \
 	done
 
 # ── Playbook execution ────────────────────────────────────────────────────────