feat: auditd - new role - initial commit

[richm]

This is the initial commit of the new role auditd.

Signed-off-by: Rich Megginson [email protected]

Summary by Sourcery

Introduce a new linux-system-roles.auditd Ansible role to manage auditd configuration and rules with comprehensive CI, docs, and testing support.

New Features:

• Add an auditd role that installs audit packages, renders auditd.conf from variables, and optionally manages custom audit rules.
• Provide extensive configurable variables for auditd behavior, transport, logging, and rule definitions, including rpm-ostree support.
• Include example playbooks demonstrating basic configuration and rules purging scenarios.

Enhancements:

• Implement robust validation of role inputs via argument_specs and custom assertion tasks aligned with auditd upstream limits.
• Add handlers and helper tasks to safely manage auditd service restarts, rule loading, and platform-specific variable resolution.
• Introduce an rpm-ostree helper script to derive required packages across roles for immutable systems.

CI:

• Add GitHub Actions workflows for ansible-lint, ansible-test, qemu/container integration tests, Testing Farm runs, markdownlint, ShellCheck, codespell, woke, PR title linting, weekly CI, README HTML generation, and changelog-driven tagging and Galaxy publishing.

Documentation:

• Create detailed README documentation for the auditd role, rpm-ostree usage, contribution guidelines, and Ansible introduction links.
• Add Testing Farm plan documentation describing CI test execution and how to run tests locally.

Tests:

• Add integration, validation, and idempotence tests for auditd configuration, rule management, invalid input handling, and include_vars behavior.
• Provide snapshot/setup and helper tasks to back up and restore system state during tests.

Chores:

• Configure markdownlint, yamllint, commitlint, Dependabot, ansible-lint, and various repo metadata files for consistent maintenance.

[sourcery-ai]

Reviewer's Guide

Adds a new linux-system-roles.auditd Ansible role that manages auditd.conf and custom audit rules, with full CI, validation, rpm-ostree support, documentation, and tests for argument sanity, rules purging, and integration behavior.

Sequence diagram for auditd rules purge and retention behavior

sequenceDiagram
    actor Admin
    participant AnsiblePlay
    participant Role_auditd as Role_auditd
    participant Tasks_main as Tasks_main_yml
    participant Tasks_purge as Tasks_purge_rules_yml
    participant Template_custom as Template_custom_rules_j2
    participant Handler_augenrules as Handler_Run_augenrules

    Admin->>AnsiblePlay: Run play with auditd_purge_rules=true
    AnsiblePlay->>Role_auditd: Apply linux_system_roles.auditd
    Role_auditd->>Tasks_main: Execute tasks/main.yml

    Note over Tasks_main: Earlier tasks validate vars, set facts,
    Note over Tasks_main: install packages, create rules.d

    alt auditd_purge_rules and auditd_manage_rules are true
        Tasks_main->>Tasks_purge: Include purge_rules.yml
        Tasks_purge->>Tasks_purge: Find files in rules.d
        Tasks_purge->>Tasks_purge: Stat custom.rules
        opt custom.rules exists
            Tasks_purge->>Tasks_purge: Slurp custom.rules content
            Tasks_purge->>Template_custom: Lookup rendered custom.rules
            Template_custom-->>Tasks_purge: Rendered rules text
            Tasks_purge->>Tasks_purge: Compute expected_sig from rendered body
            Tasks_purge->>Tasks_purge: Compute current_sig from file body
            alt Signatures equal
                Tasks_purge->>Tasks_purge: Set __auditd_purge_keep_custom_rules=true
            else Signatures differ
                Tasks_purge->>Tasks_purge: Set __auditd_purge_keep_custom_rules=false
            end
        end
        loop For each file in rules.d
            alt File is custom.rules and __auditd_purge_keep_custom_rules is true
                Tasks_purge-->>Tasks_purge: Skip deletion
            else Delete file
                Tasks_purge->>Tasks_purge: Remove file
                Tasks_purge->>Handler_augenrules: notify Run_augenrules
            end
        end
    else auditd_purge_rules is false or manage_rules is false
        Tasks_main-->>Tasks_main: Skip purge_rules.yml
    end

    Note over Tasks_main,Template_custom: Later, if auditd_manage_rules and not __auditd_purge_keep_custom_rules
    Note over Tasks_main,Template_custom: template custom.rules.j2 overwrites custom.rules and notifies Run_augenrules

    Handler_augenrules-->>Handler_augenrules: Run augenrules
    Handler_augenrules->>Handler_augenrules: Run augenrules --load when allowed
    Handler_augenrules-->>Admin: Audit rules updated on target

Loading

Class diagram for linux_system_roles_auditd role structure

classDiagram
    class Role_linux_system_roles_auditd {
      +defaults_main_yml
      +vars_main_yml
      +tasks_main_yml
      +handlers_main_yml
      +templates_auditd_conf_j2
      +templates_custom_rules_j2
      +meta_main_yml
      +meta_argument_specs_yml
    }

    class Defaults_main_yml {
      +bool auditd_local_events
      +bool auditd_write_logs
      +string auditd_log_file
      +string auditd_log_format
      +string auditd_log_group
      +string auditd_flush
      +int auditd_freq
      +int auditd_num_logs
      +string auditd_dispatcher
      +string auditd_name_format
      +string auditd_name
      +string auditd_disp_qos
      +int auditd_max_log_file
      +string auditd_max_log_file_action
      +string auditd_max_log_file_action_exe
      +string auditd_space_left
      +string auditd_space_left_action
      +string auditd_space_left_action_exe
      +string auditd_action_mail_acct
      +bool auditd_verify_email
      +string auditd_admin_space_left
      +string auditd_admin_space_left_action
      +string auditd_admin_space_left_action_exe
      +string auditd_disk_full_action
      +string auditd_disk_full_action_exe
      +string auditd_disk_error_action
      +string auditd_disk_error_action_exe
      +int auditd_priority_boost
      +int auditd_tcp_listen_port
      +int auditd_tcp_listen_queue
      +int auditd_tcp_max_per_addr
      +bool auditd_use_libwrap
      +string auditd_tcp_client_ports
      +int auditd_tcp_client_max_idle
      +string auditd_transport
      +bool auditd_enable_krb5
      +string auditd_krb5_principal
      +string auditd_krb5_key_file
      +bool auditd_distribute_network
      +int auditd_q_depth
      +string auditd_overflow_action
      +int auditd_max_restarts
      +string auditd_plugin_dir
      +int auditd_end_of_event_timeout
      +string auditd_report_interval
      +int auditd_buffer_size
      +int auditd_fail_mode
      +int auditd_maximum_rate
      +int auditd_enable_flag
      +bool auditd_manage_rules
      +bool auditd_purge_rules
      +bool auditd_start_service
      +string auditd_default_arch
      +list auditd_rules
    }

    class Vars_main_yml {
      +map _auditd_packages_map
      +string auditd_config_directory
      +string auditd_config_file
      +string auditd_service
      +map _auditd_permissions
      +list __auditd_required_facts
      +list __auditd_required_facts_subsets
      +list __auditd_rh_distros
      +list __auditd_rh_distros_fedora
      +bool __auditd_is_rh_distro
      +bool __auditd_is_rh_distro_fedora
    }

    class Tasks_main_yml {
      +task Validate_role_parameters
      +task Include_set_vars
      +task Install_audit_packages
      +task Deploy_auditd_configuration
      +task Ensure_rulesd_directory
      +task Purge_rulesd_when_requested
      +task Deploy_custom_audit_rules
      +task Start_and_enable_auditd_service
    }

    class Tasks_set_vars_yml {
      +task Ensure_required_facts
      +task Detect_ostree
      +task Include_platform_vars_files
      +task Resolve_package_names
      +bool __auditd_is_ostree
      +list __auditd_required_facts_subsets
      +list __auditd_packages
    }

    class Tasks_assert_yml {
      +assert auditd_num_logs_range
      +assert auditd_freq_range
      +assert_incremental_flush_requires_freq
      +assert_priority_boost_range
      +assert_q_depth_range
      +assert_max_restarts_range
      +assert_tcp_ports_ranges
      +assert_tcp_client_ports_format
      +assert_space_left_action_not_halt
      +assert_disk_full_action_not_email
      +assert_disk_error_action_not_email_rotate
      +assert_exec_actions_have_paths
      +assert_name_when_user_format
      +assert_auditd_rules_structure
      +assert_syscall_rule_keys
      +assert_file_rule_permissions
    }

    class Tasks_purge_rules_yml {
      +task Discover_rulesd_files
      +task Stat_custom_rules
      +task Slurp_custom_rules
      +task Compute_expected_signature
      +task Compute_current_signature
      +task Decide_keep_custom_rules
      +task Remove_rulesd_files
      +bool __auditd_purge_keep_custom_rules
    }

    class Handlers_main_yml {
      +handler Run_augenrules
      +handler Load_audit_rules
      +handler Restart_auditd
    }

    class Template_auditd_conf_j2 {
      +macro auditd_yesno
      +render auditd_conf_from_variables
    }

    class Template_custom_rules_j2 {
      +render_global_settings
      +render_file_watch_rules
      +render_syscall_rules
      +render_generic_rules
      +use _auditd_permissions
    }

    class Meta_main_yml {
      +string namespace
      +string role_name
      +string author
      +string description
      +string company
      +string license
      +string min_ansible_version
      +list platforms
      +list galaxy_tags
    }

    Role_linux_system_roles_auditd *-- Defaults_main_yml
    Role_linux_system_roles_auditd *-- Vars_main_yml
    Role_linux_system_roles_auditd *-- Tasks_main_yml
    Role_linux_system_roles_auditd *-- Handlers_main_yml
    Role_linux_system_roles_auditd *-- Template_auditd_conf_j2
    Role_linux_system_roles_auditd *-- Template_custom_rules_j2
    Role_linux_system_roles_auditd *-- Meta_main_yml
    Tasks_main_yml --> Tasks_set_vars_yml
    Tasks_main_yml --> Tasks_assert_yml
    Tasks_main_yml --> Tasks_purge_rules_yml
    Tasks_main_yml --> Handlers_main_yml
    Tasks_purge_rules_yml --> Template_custom_rules_j2
    Template_custom_rules_j2 --> Vars_main_yml
    Template_auditd_conf_j2 --> Defaults_main_yml
    Tasks_assert_yml --> Vars_main_yml
    Tasks_set_vars_yml --> Vars_main_yml

Loading

Flow diagram for get_ostree_data_sh package resolution and output

flowchart TD
    A[Start get_ostree_data_sh
args category pkgtype distro_ver format] --> B{Args valid?}
    B -- no --> Z[Exit with_usage]
    B -- yes --> C[Set category
Set pkgtypes
Parse distro and version]

    C --> D{category == packages}
    D -- no --> Z2[Unsupported_category
exit]
    D -- yes --> E[Call get_packages
with ostree_dir]

    subgraph get_packages_recursive
        E --> F[For each pkgtype in pkgtypes]
        F --> G[For each suffix in
"" -distro -distro-major -distro-ver]
        G --> H[Check packages-pkgtype-suffix txt]
        H --> I{File exists?}
        I -- yes --> J[Output package lines]
        I -- no --> K[Skip]

        F --> L[Check roles-pkgtype txt]
        L --> M{roles file exists?}
        M -- no --> N[Skip roles]
        M -- yes --> O[Read role names]
        O --> P[For each role
call get_rolepath]
        P --> Q{rolepath found?}
        Q -- no --> R[Print error
exit 2]
        Q -- yes --> S[Recurse get_packages
on rolepath]

        J --> T[Collect all packages]
        S --> T
        T --> U[Sort -u packages]
    end

    U --> V{format}
    V -- json --> W1[format_packages_json]
    V -- yaml --> W2[format_packages_yaml]
    V -- raw --> W3[format_packages_raw]
    V -- toml --> W4[format_packages_toml]

    W1 --> X[Print JSON list]
    W2 --> X
    W3 --> X
    W4 --> X
    X --> Y[End]

    subgraph get_rolepath_resolution
        GR1[Given ostree_dir and role] --> GR2[Check rolesdir under parent collection
role_path role ostree]
        GR2 --> GR3{Exists?}
        GR3 -- yes --> GR7[Return rolesdir]
        GR3 -- no --> GR4[Check legacy role dirs
*-system-roles role
.ostree]
        GR4 --> GR5{Exists?}
        GR5 -- yes --> GR7
        GR5 -- no --> GR6[Search ANSIBLE_COLLECTIONS_PATH
for role .ostree]
        GR6 --> GR8{Found?}
        GR8 -- yes --> GR7
        GR8 -- no --> GR9[Print error
exit 2]
    end

Loading

File-Level Changes

Change	Details	Files
Introduce fully‑featured auditd Ansible role with config templating, rules management, handlers, and platform-specific variable resolution.	Define role defaults mirroring audit-userspace clear_config in defaults/main.yml, including auditd.conf options and rule controls like auditd_manage_rules, auditd_purge_rules, and auditd_rules. Implement main task flow (tasks/main.yml) to validate inputs, gather required facts, resolve per‑OS packages/paths, install audit packages, render auditd.conf and rules.d/custom.rules, optionally purge rules.d, and manage the auditd service. Add set_vars.yml and vars/main.yml to resolve required facts, rpm-ostree detection, OS-family package mapping, and reusable permission mappings and RH distro helpers. Provide auditd.conf.j2 and custom.rules.j2 templates to render daemon config and rule fragments from role variables, including exec actions and rule types (file, syscall, generic). Define handlers to regenerate and load rules with augenrules and restart auditd when configs or rules change.	defaults/main.yml tasks/main.yml tasks/set_vars.yml vars/main.yml templates/auditd.conf.j2 templates/custom.rules.j2 handlers/main.yml
Add strong input validation for auditd parameters aligned with auditd-config.c and test coverage for invalid inputs and rules semantics.	Create meta/argument_specs.yml to constrain types and enum choices for auditd_* variables (e.g., log_format, transport, *_action values). Implement tasks/assert.yml to enforce numeric ranges, cross-field constraints (e.g., freq with incremental flush, exec actions requiring *_exe paths, rules schema and permissions), and special constraints like disallowed actions for disk_full/error and space_left_action. Add tests/tests_invalid_input.yml to assert that both argument_specs and tasks/assert.yml reject bad values and malformed auditd_rules. Provide tests/templates/get_ansible_managed.j2 and tasks/check_header.yml to verify ansible_managed headers and fingerprints in generated files.	meta/argument_specs.yml tasks/assert.yml tests/tests_invalid_input.yml tests/tasks/check_header.yml tests/templates/get_ansible_managed.j2
Implement purge and idempotent management of audit rules under rules.d, with tests ensuring behavior and system restoration.	Add purge_rules.yml to discover files under rules.d, compare existing custom.rules body (from first -D onward) with expected template, preserve matching custom.rules while deleting other fragments, and set a fact to skip rewrite. Integrate purge_rules.yml into main flow when auditd_purge_rules and auditd_manage_rules are true, and conditionally skip templating when existing custom.rules is preserved. Create tests/tests_purge_rules.yml plus tests/tasks/setup.yml and tests/tasks/cleanup.yml to snapshot current rules, add a decoy fragment, run the role with purge enabled, verify decoy deletion and custom.rules checksum stability across runs, then restore original state.	tasks/purge_rules.yml tasks/main.yml tests/tests_purge_rules.yml tests/tasks/setup.yml tests/tasks/cleanup.yml
Add integration, default-path, and include_vars tests plus helper taskfiles to exercise role behavior in realistic scenarios.	Add tests/tests_default.yml that runs the role with cleared facts and checks auditd.conf header for ansible_managed and role fingerprint. Add tests/tests_auditd_integration.yml to configure non-default auditd settings and rules, then verify rendered auditd.conf and custom.rules content line-by-line before restoring backups. Introduce tests/tests_include_vars_from_parent.yml and tests/roles/caller to validate that caller vars do not override role vars when include_role is used. Provide tests/tasks/run_role_with_clear_facts.yml to clear facts and include the role with optional failure suppression, and tests/setup-snapshot.yml to pre-install OS packages for snapshot images. Add tests/vars/rh_distros_vars.yml for RH distro helpers in tests, mirroring role vars.	tests/tests_default.yml tests/tests_auditd_integration.yml tests/tests_include_vars_from_parent.yml tests/setup-snapshot.yml tests/tasks/run_role_with_clear_facts.yml tests/roles/caller/tasks/main.yml tests/roles/caller/vars/main.yml tests/vars/rh_distros_vars.yml
Add documentation and examples for the role, rpm-ostree behavior, contribution workflow, and test plans.	Create README.md describing role purpose, all auditd_* variables with semantics and defaults, rules format, rpm-ostree usage pointer, and example playbook. Add README-ostree.md explaining package resolution and get_ostree_data.sh usage to compute package lists for various DISTRO-VERSION and output formats. Add README-ansible.md linking to shared Linux System Roles Ansible introduction, contributing.md with development/testing workflow, and README-plans.md describing tmt/Testing Farm CI plans. Add examples/simple.yml and examples/purge_rules.yml to demonstrate basic configuration and purge_rules behavior.	README.md README-ostree.md README-ansible.md contributing.md plans/README-plans.md examples/simple.yml examples/purge_rules.yml
Provide rpm-ostree support tooling and common repo metadata for CI, docs, linting, and release automation.	Introduce .ostree/get_ostree_data.sh plus .ostree/README.md to compute package lists (runtime/testing) with support for nested role dependencies and multiple output formats (json/yaml/raw/toml). Add meta/main.yml and meta/collection-requirements.yml defining Galaxy metadata, supported platforms/tags, and ansible.posix dependency, along with minimal tox.ini to enable tox-lsr. Add markdownlint, yamllint, codespell, woke, ansible-lint, ansible-test, shellcheck, docs build, release/tagging (changelog_to_tag.yml), weekly CI trigger, ostree/qemu/container integration tests, and Testing Farm workflows. Add PR title linting via commitlint (.commitlintrc.js and pr-title-lint.yml), dependabot config, codespell configuration files, PR template, CODEOWNERS, docs template, and CI helpers such as ansible-managed-var-comment.yml and test_converting_readme.yml. Stub .ansible-lint, .codespell_ignores, .codespellrc, .fmf/version, plans/test_playbooks_parallel.fmf, and test role directories for collection conversion/testing scaffolding.	.ostree/get_ostree_data.sh .ostree/README.md meta/main.yml meta/collection-requirements.yml tox.ini .markdownlint.yaml .yamllint.yml .github/workflows/* .commitlintrc.js .github/dependabot.yml .github/CODEOWNERS .github/pull_request_template.md .pandoc_template.html5 .ansible-lint .codespell_ignores .codespellrc .fmf/version plans/test_playbooks_parallel.fmf tests/roles/linux-system-roles.auditd/*

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 6 issues

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path=".github/workflows/build_docs.yml" line_range="99-103" />
<code_context>
+          name: README.html
+          path: ${{ env.RELEASE_VERSION }}/README.html
+
+      - name: Commit changes
+        run: |
+          git config --global user.name "${{ github.actor }}"
+          git config --global user.email "${{ github.actor }}@users.noreply.github.com"
+          git add ${{ env.RELEASE_VERSION }}/README.html docs/index.html
+          git commit -m "Update README.html for ${{ env.RELEASE_VERSION }}"
+
</code_context>
<issue_to_address>
**issue (bug_risk):** Guard adding docs/index.html so the workflow does not fail when RELEASE_VERSION != 'latest'

`docs/index.html` is only created when `RELEASE_VERSION == 'latest'`, but `git add ... docs/index.html` always runs. For tag-based releases, this file won’t exist and the `git add` will fail. Please either guard `git add docs/index.html` with `RELEASE_VERSION == 'latest'` or move it to a separate, conditional `git add` that matches the copy step’s condition.
</issue_to_address>

### Comment 2
<location path=".github/workflows/tft.yml" line_range="119-120" />
<code_context>
+            ansible_version: "2.17"
+    runs-on: ubuntu-latest
+    env:
+      ARTIFACTS_DIR_NAME: "tf_${{ github.event.repository.name }}-${{ github.event.issue.number }}_\
+        ${{ matrix.platform }}-${{ matrix.ansible_version }}_\
+        ${{ needs.prepare_vars.outputs.datetime }}/artifacts"
+      ARTIFACT_TARGET_DIR: /srv/pub/alt/${{ vars.SR_LSR_USER }}/logs
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Avoid referencing a non-existent datetime output from prepare_vars in ARTIFACTS_DIR_NAME

`ARTIFACTS_DIR_NAME` uses `${{ needs.prepare_vars.outputs.datetime }}`, but `prepare_vars` doesn’t define a `datetime` output. That will leave an empty segment in the path and diverges from the `Set variables with DATETIME` step, which recomputes `DATETIME` and artifact paths. Please either expose `DATETIME` as an output from `prepare_vars` and use it here, or remove this interpolation and rely on the value computed in `set_vars` only.

Suggested implementation:

```
    env:
      ARTIFACT_TARGET_DIR: /srv/pub/alt/${{ vars.SR_LSR_USER }}/logs

```

If subsequent steps rely on `ARTIFACTS_DIR_NAME` as a job-level environment variable, they should be updated to either:
1. Use the value computed in `set_vars` (e.g., by echoing it to `$GITHUB_OUTPUT` in `set_vars` and then referencing `steps.set_vars.outputs.ARTIFACTS_DIR_NAME`), or
2. Recompute the same value locally in their own `run` sections, mirroring the logic from `set_vars`.

This will ensure there is a single source of truth for the artifacts directory name and no dependency on a non-existent `prepare_vars.outputs.datetime`.
</issue_to_address>

### Comment 3
<location path=".ostree/get_ostree_data.sh" line_range="132" />
<code_context>
+    exit 1
+fi
+
+"get_$category" "$ostree_dir" | "format_${category}_$format"
</code_context>
<issue_to_address>
**suggestion:** Validate category/format values before invoking helper functions to avoid confusing runtime errors

Right now the script assumes any `category`/`format` is valid and directly invokes `get_$category` and `format_${category}_$format`. If a caller passes an unsupported value (e.g., a typo), this will just produce a `command not found` error. Please add explicit validation (e.g., a case statement) for allowed categories and formats, and exit with a clear, actionable error when an invalid value is given.
</issue_to_address>

### Comment 4
<location path="contributing.md" line_range="14-15" />
<code_context>
+* Basic git and github information
+* How to create git commits and submit pull requests
+
+**Bugs and needed implementations** are listed on
+[Github Issues](https://github.com/linux-system-roles/auditd/issues).
+Issues labeled with
+[**help wanted**](https://github.com/linux-system-roles/auditd/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
</code_context>
<issue_to_address>
**nitpick (typo):** Use the correct "GitHub" capitalization in the link text.

Please update the link text to "GitHub Issues" to match the official capitalization and keep the terminology consistent.

Suggested implementation:

```
* Basic git and GitHub information

```

```
[GitHub Issues](https://github.com/linux-system-roles/auditd/issues).

```

```
**Code** is managed on [GitHub](https://github.com/linux-system-roles/auditd), using

```
</issue_to_address>

### Comment 5
<location path="plans/README-plans.md" line_range="3" />
<code_context>
+# Introduction CI Testing Plans
+
+Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/auditd/blob/main/.github/workflows/tft.yml) GitHub workflow.
+
+The `plans/test_playbooks_parallel.fmf` plan is a test plan that runs test playbooks in parallel on multiple managed nodes.
</code_context>
<issue_to_address>
**nitpick (typo):** Align "Testing farm" capitalization with the official "Testing Farm" name.

Please update the link text here to "Testing Farm" to match the official name used elsewhere in the docs.

```suggestion
Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing Farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/auditd/blob/main/.github/workflows/tft.yml) GitHub workflow.
```
</issue_to_address>

### Comment 6
<location path="plans/README-plans.md" line_range="20" />
<code_context>
+3. For the given role and the given PR, runs the general test from [test.sh](https://github.com/linux-system-roles/tft-tests/blob/main/tests/general/test.sh).
+
+The [tft.yml](https://github.com/linux-system-roles/auditd/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access.
+This workflow uses Testing Farm's Github Action [Schedule tests on Testing Farm](https://github.com/marketplace/actions/schedule-tests-on-testing-farm).
+
+## Running Tests
</code_context>
<issue_to_address>
**nitpick (typo):** Use the proper "GitHub Action" capitalization.

Please update "Github Action" to "GitHub Action" in this sentence for correct branding and consistency with the official name.

```suggestion
This workflow uses Testing Farm's GitHub Action [Schedule tests on Testing Farm](https://github.com/marketplace/actions/schedule-tests-on-testing-farm).
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Guard adding docs/index.html so the workflow does not fail when RELEASE_VERSION != 'latest'

docs/index.html is only created when RELEASE_VERSION == 'latest', but git add ... docs/index.html always runs. For tag-based releases, this file won’t exist and the git add will fail. Please either guard git add docs/index.html with RELEASE_VERSION == 'latest' or move it to a separate, conditional git add that matches the copy step’s condition.

[sourcery-ai]

suggestion (bug_risk): Avoid referencing a non-existent datetime output from prepare_vars in ARTIFACTS_DIR_NAME

ARTIFACTS_DIR_NAME uses ${{ needs.prepare_vars.outputs.datetime }}, but prepare_vars doesn’t define a datetime output. That will leave an empty segment in the path and diverges from the Set variables with DATETIME step, which recomputes DATETIME and artifact paths. Please either expose DATETIME as an output from prepare_vars and use it here, or remove this interpolation and rely on the value computed in set_vars only.

Suggested implementation:

    env:
      ARTIFACT_TARGET_DIR: /srv/pub/alt/${{ vars.SR_LSR_USER }}/logs

If subsequent steps rely on ARTIFACTS_DIR_NAME as a job-level environment variable, they should be updated to either:

1. Use the value computed in set_vars (e.g., by echoing it to $GITHUB_OUTPUT in set_vars and then referencing steps.set_vars.outputs.ARTIFACTS_DIR_NAME), or
2. Recompute the same value locally in their own run sections, mirroring the logic from set_vars.

This will ensure there is a single source of truth for the artifacts directory name and no dependency on a non-existent prepare_vars.outputs.datetime.

[sourcery-ai]

suggestion: Validate category/format values before invoking helper functions to avoid confusing runtime errors

Right now the script assumes any category/format is valid and directly invokes get_$category and format_${category}_$format. If a caller passes an unsupported value (e.g., a typo), this will just produce a command not found error. Please add explicit validation (e.g., a case statement) for allowed categories and formats, and exit with a clear, actionable error when an invalid value is given.

[sourcery-ai]

nitpick (typo): Use the correct "GitHub" capitalization in the link text.

Please update the link text to "GitHub Issues" to match the official capitalization and keep the terminology consistent.

Suggested implementation:

* Basic git and GitHub information

[GitHub Issues](https://github.com/linux-system-roles/auditd/issues).

**Code** is managed on [GitHub](https://github.com/linux-system-roles/auditd), using

[sourcery-ai]

nitpick (typo): Align "Testing farm" capitalization with the official "Testing Farm" name.

Please update the link text here to "Testing Farm" to match the official name used elsewhere in the docs.

Suggested change

	Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/auditd/blob/main/.github/workflows/tft.yml) GitHub workflow.
	Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing Farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/auditd/blob/main/.github/workflows/tft.yml) GitHub workflow.

[sourcery-ai]

nitpick (typo): Use the proper "GitHub Action" capitalization.

Please update "Github Action" to "GitHub Action" in this sentence for correct branding and consistency with the official name.

Suggested change

	This workflow uses Testing Farm's Github Action [Schedule tests on Testing Farm](https://github.com/marketplace/actions/schedule-tests-on-testing-farm).
	This workflow uses Testing Farm's GitHub Action [Schedule tests on Testing Farm](https://github.com/marketplace/actions/schedule-tests-on-testing-farm).

[richm]

[citest]