ci: enforce version sync invariant

[Aleksei Sviridkin (lexfrei)]

Summary

Add a version-sync invariant to the Lint job: hack/check-versions.sh fails the build if any tracked dependency's version drifts across its authoritative files.

Three groups are checked:

1. cozy-installer chart — must match in galaxy.yml, roles/cozystack/defaults/main.yml, and the three examples/*/requirements.yml (compared without the leading v).
2. k3s binary — must match across tests/ci-inventory.yml and all three examples/*/inventory.yml.
3. k3s.orchestration collection — must match across tests/requirements.yml and all three examples/*/requirements.yml.

Renovate bumps already update all files together, so the check is transparent for automated flows. A manual version change in a single file now fails CI with a diff showing which file lags.

Changes

• New hack/check-versions.sh using yq (preinstalled on GitHub-hosted ubuntu runners), wired as the first step of the existing Lint job in .github/workflows/test.yml.
• New hack/test-check-versions.sh self-test: asserts the clean tree exits 0, then perturbs one file per invariant group (including a middle file for k3s to guard against future refactor bugs) and asserts exit 1 with the correct DRIFT in <group> label on stderr. Runs alongside in the same Lint job.
• README: fix stale cozystack_chart_version default in the optional variables table (1.2.2 → 1.3.0).
• CHANGELOG: move Unreleased section to the top of the file to match the reverse-chronological convention in the project CLAUDE.md.

Test plan

• Script verified locally: positive run prints three OK lines; negative runs (via self-test) exit 1 with the right label for each group including a middle-file perturbation.
• shellcheck clean on both scripts.
• ansible-lint passes (CI)
• ansible-test sanity passes (CI)
• Tested on a live cluster — N/A (CI-only change)
• Idempotency verified — N/A

Summary by CodeRabbit

• Chores
  • CI updated to run a new repository-wide version synchronization check before dependency setup.
• Tests
  • Added a regression self-test that verifies the version-check detects introduced drift.
• Documentation
  • Changelog updated with CI release notes and repositioned an existing entry into Unreleased.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 173a39be-89b4-4ba8-8de3-e4ece477bbfa

📥 Commits

Reviewing files that changed from the base of the PR and between 50961b9 and 7f1f155.

📒 Files selected for processing (2)

• .github/workflows/test.yml
• CHANGELOG.rst

✅ Files skipped from review due to trivial changes (1)

• CHANGELOG.rst

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/test.yml

---

📝 Walkthrough

Walkthrough

Adds repository-wide version drift detection: new Bash scripts enforce synced chart/k3s/collection versions, the lint CI job runs the checks and their self-test before setup/lint steps, and CHANGELOG.rst documents these CI additions.

Changes

Version invariant checks

Layer / File(s)	Summary
CI Workflow Integration .github/workflows/test.yml	Lint job updated to run ./hack/check-versions.sh followed by ./hack/test-check-versions.sh before existing Python setup and linting tasks.
Documentation CHANGELOG.rst	Changelog Unreleased bullets added/updated to document the CI version invariant checks and the companion self-test; cozystack_external_ips entry moved into Unreleased.
Version Validation Scripts hack/check-versions.sh, hack/test-check-versions.sh	New executable scripts: check-versions.sh validates version synchronization across YAML files using yq; test-check-versions.sh runs regression scenarios expecting drift detection failures.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 I hop through YAML, nose to the code,
Checking versions down every road.
Scripts and tests keep drift at bay,
CI guards the versions day by day.
A tidy repo — hop, hooray! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding a CI-level version sync invariant enforcement to the Lint job.
Description check	✅ Passed	The description covers all required template sections (Summary, Changes, Test plan) with comprehensive details about the invariants checked, implementation approach, and testing strategy.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/version-sync-invariant

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a new CI script, hack/check-versions.sh, which ensures version strings remain synchronized across multiple configuration files, including galaxy.yml, role defaults, and example requirements. The script is integrated into the Lint job to prevent version drift. Feedback was provided to improve the clarity of error reporting by aligning a label with the actual variable name used in the code.

[gemini-code-assist]

The label used in the report for the role defaults file is slightly inconsistent with the actual key name. In roles/cozystack/defaults/main.yml, the variable is named cozystack_chart_version. Updating the label to match the key exactly will make it easier to locate the variable if a drift is reported.

Suggested change

	"roles/cozystack/defaults/main.yml:chart_version" "$cozy_role" \
	"roles/cozystack/defaults/main.yml:cozystack_chart_version" "$cozy_role" \

[Aleksei Sviridkin (lexfrei)]

Applied in a5c43f4. The cozy-installer group now labels the role default as roles/cozystack/defaults/main.yml:cozystack_chart_version (full variable name) so a DRIFT report points directly at the variable to grep for in the file.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/check-versions.sh`:
- Around line 70-101: The yq/get_collection_version command substitutions (e.g.,
cozy_galaxy, k3s_ci, orch_tests) can silently produce empty strings on failure
which bypasses report; enable bash's inherit_errexit (shopt -s inherit_errexit)
before these assignments or add explicit non-empty validation after each
assignment (or inside report()) to set err=1 and print a clear error when a
value is empty; update the block that assigns
cozy_galaxy/cozy_role/cozy_rhel/... and k3s_ci/k3s_rhel/.../orch_tests to either
enable inherit_errexit at top or to check each variable (and call err=1/report
error) before calling report().

In `@README.md`:
- Line 313: Update the Unreleased section of CHANGELOG.rst to include the chart
version bump: add a bullet "Bump cozystack_chart_version to 1.3.0" so the
changelog reflects the change made to roles/cozystack/defaults/main.yml
(cozystack_chart_version) and matches the README.md/galaxy.yml updates; place
the bullet alongside the other Unreleased entries for new features and CI
improvements.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 46c50414-cdb6-47cc-8958-94692b504a50

📥 Commits

Reviewing files that changed from the base of the PR and between 58eca80 and 1b6ca05.

📒 Files selected for processing (5)

• .github/workflows/test.yml
• CHANGELOG.rst
• README.md
• hack/check-versions.sh
• hack/test-check-versions.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -nP '^\s*(version|cozystack_chart_version)\s*[:=]' galaxy.yml roles/cozystack/defaults/main.yml
rg -nP 'cozystack\.installer' -A3 examples/*/requirements.yml

Repository: cozystack/ansible-cozystack

Length of output: 971

---

🏁 Script executed:

cat -n CHANGELOG.rst | head -100

Repository: cozystack/ansible-cozystack

Length of output: 6034

---

Add CHANGELOG.rst entry documenting cozystack_chart_version bump to 1.3.0.

The default chart version in roles/cozystack/defaults/main.yml was bumped from 1.2.2 to 1.3.0, matching the updates in galaxy.yml and README.md. However, the Unreleased section of CHANGELOG.rst documents new features and CI improvements but omits this chart version bump. Previous chart version bumps (v1.2.2, v1.2.1, v1.1.3, v1.1.2, v1.0.2) each got their own changelog entry. Add a bullet to the Unreleased section: Bump cozystack_chart_version to 1.3.0.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 313, Update the Unreleased section of CHANGELOG.rst to
include the chart version bump: add a bullet "Bump cozystack_chart_version to
1.3.0" so the changelog reflects the change made to
roles/cozystack/defaults/main.yml (cozystack_chart_version) and matches the
README.md/galaxy.yml updates; place the bullet alongside the other Unreleased
entries for new features and CI improvements.

[Aleksei Sviridkin (lexfrei)]

Out of scope for this PR. The 1.3.0 chart bump landed in main via a separate renovate PR that already created the v1.3.0 tag, so this PR does not bump the chart version — it only adds the CI invariant and fixes a stale README default. The missing CHANGELOG entry is a pre-existing gap in the release flow (the release workflow tags but doesn't rename Unreleased); the correct fix is to create a real v1.3.0 section alongside a change to the release workflow, which is a separate concern.

[coderabbitai]

@lexfrei, understood — thanks for the context. The README update here is purely correcting a stale default that lagged behind the Renovate-driven 1.3.0 bump, not introducing a new version change, so a CHANGELOG entry in this PR would indeed be misattributed. Withdrawing this comment.

---

✏️ Learnings added

Learnt from: lexfrei
Repo: cozystack/ansible-cozystack PR: 34
File: README.md:313-313
Timestamp: 2026-04-23T10:42:54.380Z
Learning: In cozystack/ansible-cozystack, README.md default values for `cozystack_chart_version` can lag behind the actual version in `roles/cozystack/defaults/main.yml` and `galaxy.yml` after Renovate PRs. A PR that only corrects a stale README default is NOT bumping the chart version and does NOT require a CHANGELOG entry. The missing CHANGELOG entry for a released version (e.g. v1.3.0) is a pre-existing gap in the release flow: the release workflow tags the repo but does not rename the `Unreleased` CHANGELOG section to the new version. The correct fix is to create a proper versioned section alongside a release workflow change, handled separately.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: CR
Repo: cozystack/ansible-cozystack PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-15T11:53:04.566Z
Learning: Applies to roles/cozystack/defaults/main.yml : Collection version is inherited from `cozystack/cozystack` and tracks the upstream Cozystack chart version in `roles/cozystack/defaults/main.yml:cozystack_chart_version`. Do NOT bump collection version just because a PR adds features or fixes bugs.

---

Learnt from: CR
Repo: cozystack/ansible-cozystack PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-15T11:53:04.566Z
Learning: Applies to CHANGELOG.rst : `CHANGELOG.rst` must use per-version sections in reverse chronological order. For changes on `main` without a version bump, use an `Unreleased` section at the top. Rename it to the new version when upstream bumps. Never attribute new changes to an already-tagged version.

[Andrei Kvapil (kvaps)]

Cannot merge — branch has conflicts with main. Please rebase onto current main and push, then I'll re-merge.