add pre-commit and ci workflow

8 files changed, 50 insertions, 8 deletions

diff --git a/.ansible-lint b/.ansible-lint
new file mode 100644
index 0000000..f615bf2
--- /dev/null
+++ b/.ansible-lint
@@ -0,0 +1,2 @@
+exclude_paths:
+  - .github/
diff --git a/.github/ci.yaml b/.github/ci.yaml
new file mode 100644
index 0000000..88e0711
--- /dev/null
+++ b/.github/ci.yaml
@@ -0,0 +1,21 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-python@v6
+        with:
+          python-version-file: ".python-version"
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
+      - run: echo "${{ secrets.VAULT_PASS }}" > .vault_pass
+      - run: pre-commit.sh
diff --git a/.gitignore b/.gitignore
index 4f8174e..0258088 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
+/.ansible/
 .DS_Store
 /.vault_pass
-/.venv
+/.venv/
 /tmp/*
 !/tmp/.keep
diff --git a/Makefile b/Makefile
index 0459afa..61ab7f8 100644
--- a/Makefile
+++ b/Makefile
@@ -10,6 +10,11 @@ edit:
 .PHONY: install
 install:
 	$(UV) sync
+	$(BIN)/ansible-galaxy collection install -r requirements.yaml
+
+.PHONY: install-pre
+install-pre:
+	cp pre-commit.sh .git/hooks/pre-commit
 
 .PHONY: lint
 lint:
diff --git a/README.md b/README.md
index a2b54d5..0063ddc 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,8 @@ Remote infrastructure.
 $ git clone git@github.com:luskjh/infra
 $ cd infra
 $ make install
+$ make install-pre
+$ echo '<vault password>' > .vault_pass
 ```
 
 ## Makefile targets
@@ -16,11 +18,12 @@ $ make install
 
 _Listed in alphabetical order._
 
-| Target             | Description          |
-| ------------------ | -------------------- |
-| `edit`             | Edit ansible vault   |
-| `install`          | Install dependencies |
-| `lint`             | Run ansible lint     |
-| `ping`<sup>*</sup> | Ping hollyhock host  |
+| Target             | Description             |
+| ------------------ | ----------------------- |
+| `edit`             | Edit ansible vault      |
+| `install`          | Install dependencies    |
+| `install-pre`      | Install pre-commit hook |
+| `lint`             | Run ansible lint        |
+| `ping`<sup>*</sup> | Ping hollyhock host     |
 
 [hollyhock]: //hollyhock.sorantics.com
diff --git a/pre-commit.sh b/pre-commit.sh
new file mode 100755
index 0000000..aeb4b9c
--- /dev/null
+++ b/pre-commit.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+make lint
diff --git a/requirements.yaml b/requirements.yaml
new file mode 100644
index 0000000..1c58833
--- /dev/null
+++ b/requirements.yaml
@@ -0,0 +1,7 @@
+collections:
+  - name: ansible.posix
+    version: ">=2.1.0,<2.2"
+  - name: community.crypto
+    version: ">=3.2.0,<3.3"
+  - name: community.general
+    version: ">=12.5.0,<12.6"
diff --git a/uv.lock b/uv.lock
index f3210e9..2491b2a 100644
--- a/uv.lock
+++ b/uv.lock
@@ -425,7 +425,7 @@ dev = [
     { name = "ansible", specifier = ">=13.7.0,<13.8" },
     { name = "ansible-core", specifier = ">=2.20.6,<2.21" },
     { name = "ansible-dev-tools", specifier = ">=26.4.6,<26.5" },
-    { name = "passlib", specifier = ">=1.7.4" },
+    { name = "passlib", specifier = ">=1.7.4,<1.8" },
 ]
 
 [[package]]