feat: Add comprehensive linting setup

Major improvements to code quality checks:

1. Created separate lint.yml workflow with parallel jobs:
   - ansible-lint (without || true so it actually fails)
   - yamllint for YAML files
   - Python linting (ruff, black, mypy)
   - shellcheck for all shell scripts
   - Security scanning (bandit, safety)

2. Added linter configurations:
   - .yamllint - YAML style rules
   - pyproject.toml - Python tool configs (ruff, black, mypy)
   - Updated .ansible-lint with better rules

3. Improved main.yml workflow:
   - Renamed 'lint' to 'syntax-check' for clarity
   - Removed redundant linting (moved to lint.yml)

4. Added documentation:
   - docs/linting.md explains all linters and how to use them

Current linters are set to warn (|| true) to allow gradual adoption.
As code improves, these can be changed to hard failures.

Benefits:
- Catches Python security issues
- Enforces consistent code style
- Validates all shell scripts (not just 2)
- Checks YAML formatting
- Separates linting from testing concerns

Author: dguido

.ansible-lint

@@ -1,10 +1,25 @@
+# Ansible-lint configuration
+exclude_paths:
+  - .cache/
+  - .github/
+  - tests/legacy-lxd/
+
 skip_list:
-  - yaml
-  - '204'
-verbosity: 1
+  - '204'  # Lines should be less than 160 characters
+  - 'package-latest'  # Package installs should not use latest
+  - 'experimental'  # Experimental rules
 
 warn_list:
   - no-changed-when
   - no-handler
   - fqcn-builtins
   - var-spacing
+  - yaml[line-length]
+
+# Enable additional rules
+enable_list:
+  - no-log-password
+  - no-same-owner
+  - partial-become
+
+verbosity: 1

.github/workflows/lint.yml

@@ -0,0 +1,116 @@
+name: Lint
+
+on: [push, pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  ansible-lint:
+    name: Ansible linting
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3  # v5.2.0
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+
+      - name: Install ansible-lint
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible-lint
+
+      - name: Run ansible-lint
+        run: |
+          # Run without || true so it actually fails on issues
+          ansible-lint -v *.yml roles/{local,cloud-*}/*/*.yml
+
+  yaml-lint:
+    name: YAML linting
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+        with:
+          persist-credentials: false
+
+      - name: Run yamllint
+        run: |
+          pip install yamllint
+          yamllint -c .yamllint . || true  # Start with warnings only
+
+  python-lint:
+    name: Python linting
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3  # v5.2.0
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+
+      - name: Install Python linters
+        run: |
+          python -m pip install --upgrade pip
+          pip install ruff black mypy
+
+      - name: Run ruff
+        run: |
+          # Fast Python linter
+          ruff check . || true  # Start with warnings only
+
+      - name: Check Python formatting with black
+        run: |
+          # Check formatting (don't modify)
+          black --check --diff . || true  # Start with warnings only
+
+      - name: Run mypy
+        run: |
+          # Type checking for Python
+          mypy library/ --ignore-missing-imports || true  # Start with warnings only
+
+  shellcheck:
+    name: Shell script linting
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+        with:
+          persist-credentials: false
+
+      - name: Run shellcheck
+        run: |
+          sudo apt-get update && sudo apt-get install -y shellcheck
+          # Check all shell scripts, not just algo and install.sh
+          find . -type f -name "*.sh" -not -path "./.git/*" -exec shellcheck {} \;
+
+  security-checks:
+    name: Security scanning
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3  # v5.2.0
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+
+      - name: Install security tools
+        run: |
+          python -m pip install --upgrade pip
+          pip install bandit safety
+
+      - name: Run bandit
+        run: |
+          # Security linter for Python
+          bandit -r library/ || true  # Start with warnings only
+
+      - name: Check dependencies with safety
+        run: |
+          # Check for known security issues in dependencies
+          pip install -r requirements.txt
+          safety check || true  # Start with warnings only

.github/workflows/main.yml

@@ -6,8 +6,8 @@ permissions:
   contents: read
 
 jobs:
-  lint:
-    name: Lint code
+  syntax-check:
+    name: Ansible syntax check
     runs-on: ubuntu-22.04
     permissions:
       contents: read
@@ -24,15 +24,9 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt
-          pip install ansible-lint
-          # Install shellcheck from apt (faster than snap)
-          sudo apt-get update && sudo apt-get install -y shellcheck
 
-      - name: Run linters
-        run: |
-          shellcheck algo install.sh
-          ansible-playbook main.yml --syntax-check
-          ansible-lint -x experimental,package-latest,unnamed-task -v *.yml roles/{local,cloud-*}/*/*.yml || true
+      - name: Check Ansible playbook syntax
+        run: ansible-playbook main.yml --syntax-check
 
   basic-tests:
     name: Basic sanity tests

.gitignore

@@ -8,3 +8,4 @@ inventory_users
 venvs/*
 !venvs/.gitinit
 .vagrant
+.ansible/

.yamllint

@@ -0,0 +1,13 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 160
+    level: warning
+  comments:
+    min-spaces-from-content: 1
+  braces:
+    max-spaces-inside: 1
+  truthy:
+    allowed-values: ['true', 'false', 'yes', 'no']

docs/linting.md

@@ -0,0 +1,101 @@
+# Linting and Code Quality
+
+This document describes the linting and code quality checks used in the Algo VPN project.
+
+## Overview
+
+The project uses multiple linters to ensure code quality across different file types:
+- **Ansible** playbooks and roles
+- **Python** library modules and tests
+- **Shell** scripts
+- **YAML** configuration files
+
+## Linters in Use
+
+### 1. Ansible Linting
+- **Tool**: `ansible-lint`
+- **Config**: `.ansible-lint`
+- **Checks**: Best practices, security issues, deprecated syntax
+- **Key Rules**:
+  - `no-log-password`: Ensure passwords aren't logged
+  - `no-same-owner`: File ownership should be explicit
+  - `partial-become`: Avoid unnecessary privilege escalation
+
+### 2. Python Linting
+- **Tools**: 
+  - `ruff` - Fast Python linter (replaces flake8, isort, etc.)
+  - `black` - Code formatter
+  - `mypy` - Type checker
+  - `bandit` - Security linter
+- **Config**: `pyproject.toml`
+- **Style**: 120 character line length, Python 3.10+
+
+### 3. Shell Script Linting
+- **Tool**: `shellcheck`
+- **Checks**: All `.sh` files in the repository
+- **Catches**: Common shell scripting errors and pitfalls
+
+### 4. YAML Linting
+- **Tool**: `yamllint`
+- **Config**: `.yamllint`
+- **Rules**: Extended from default with custom line length
+
+### 5. Security Scanning
+- **Tools**:
+  - `bandit` - Python security issues
+  - `safety` - Known vulnerabilities in dependencies
+  - `zizmor` - GitHub Actions security (run separately)
+
+## CI/CD Integration
+
+### Main Workflow (`main.yml`)
+- **syntax-check**: Validates Ansible playbook syntax
+- **basic-tests**: Runs unit tests including validation tests
+
+### Lint Workflow (`lint.yml`)
+Separate workflow with parallel jobs:
+- **ansible-lint**: Ansible best practices
+- **yaml-lint**: YAML formatting
+- **python-lint**: Python code quality
+- **shellcheck**: Shell script validation
+- **security-checks**: Security scanning
+
+## Running Linters Locally
+
+```bash
+# Ansible
+ansible-lint -v *.yml roles/{local,cloud-*}/*/*.yml
+
+# Python
+ruff check .
+black --check .
+mypy library/
+
+# Shell
+find . -name "*.sh" -exec shellcheck {} \;
+
+# YAML
+yamllint .
+
+# Security
+bandit -r library/
+safety check
+```
+
+## Current Status
+
+Most linters are configured to warn rather than fail (`|| true`) to allow gradual adoption. As code quality improves, these should be changed to hard failures.
+
+### Known Issues to Address:
+1. Python library modules need formatting updates
+2. Some Ansible tasks missing `changed_when` conditions
+3. YAML files have inconsistent indentation
+4. Shell scripts could use more error handling
+
+## Contributing
+
+When adding new code:
+1. Run relevant linters before committing
+2. Fix any errors (not just warnings)
+3. Add linting exceptions only with good justification
+4. Update linter configs if adding new file types

pyproject.toml

@@ -0,0 +1,43 @@
+[tool.ruff]
+# Ruff configuration
+target-version = "py310"
+line-length = 120
+select = [
+    "E",  # pycodestyle errors
+    "W",  # pycodestyle warnings
+    "F",  # pyflakes
+    "I",  # isort
+    "B",  # flake8-bugbear
+    "C4", # flake8-comprehensions
+    "UP", # pyupgrade
+]
+ignore = [
+    "E501", # line too long (handled by formatter)
+]
+
+[tool.black]
+line-length = 120
+target-version = ['py310']
+include = '\.pyi?$'
+extend-exclude = '''
+(
+  /(
+      \.eggs
+    | \.git
+    | \.mypy_cache
+    | \.tox
+    | \.venv
+    | _build
+    | buck-out
+    | build
+    | dist
+  )/
+)
+'''
+
+[tool.mypy]
+python_version = "3.10"
+warn_return_any = true
+warn_unused_configs = true
+disallow_untyped_defs = false
+ignore_missing_imports = true