CI workflow cleanup and plugin maintenance #38
Description
Findings from auditing the workflow files, plugins, and supporting infrastructure.
Workflow duplication — `.github/workflows/` and `.gitea/workflows/` maintain near-identical copies of every workflow. Gitea Actions supports GitHub Actions syntax, so these should be consolidated to a single set. The only true divergence is the artifact upload action (`actions/upload-artifact@v4` vs `christopherhx/gitea-upload-artifact@v4`), which is already handled inside the `collect-diagnostics` composite action via a `github.server_url` branch.
Setup boilerplate in every workflow job — every molecule job repeats ~5 identical steps: `uv pip install`, set `ANSIBLE_COLLECTIONS_PATH`, copy workspace into collections path, `ansible-galaxy collection install` from internal cache, SSH key setup and teardown. A `setup-collection` composite action would reduce each workflow from ~40 steps to ~10-12 and centralise dependency management.
Missing workflow — `test_elasticsearch_custom_certs.yml` exists in `.github/workflows/` but not `.gitea/workflows/`. Custom cert tests don't run on Gitea CI.
cert_info module docstrings — `plugins/modules/cert_info.py` lacks DOCUMENTATION/EXAMPLES/RETURN docstrings. This is why `--skip-test validate-modules` is required in the sanity CI job. Adding standard docstrings would allow removing that skip.
cert_info could be replaced — if the role is refactored to always inspect PEM certs for expiry checks (which it already supports as a first-class path), `community.crypto.x509_certificate_info` replaces the custom module entirely, removing PKCS12 handling code and cryptography version shims.
modules/README.md is stale — lists tested versions up to cryptography 40.0.1, Python 3.10, and ansible-core 2.14. CI now tests up to cryptography 46.0.4, Python 3.12, and ansible-core 2.20.
test_api.py references missing api.py — `tests/unit/plugins/module_utils/test_api.py` imports `plugins/module_utils/api.py` which does not exist in the repository. The test is not run by CI (only `test_cert_info.py` and `test_certs.py` are), but it is dead code that should either get its module added or be removed.
test_cert_info.py fixture cert expiring — the test hardcodes `not_valid_after: 2026-03-28` from the fixture P12 file. The cert expires in about 4 weeks. The test should either not assert on the date value, or the fixture cert should be regenerated with a longer validity period.
Old virtualenv — `venv/` at the repo root is an older, redundant virtualenv alongside the active `.venv/`. Can be deleted.