Add support for json schema validation

.config/dictionary.txt

@@ -76,6 +76,7 @@ isdir
 isdisjoint
 iskeyword
 isort
+jsonschema
 junitxml
 kubernetes
 libera

.github/workflows/tox.yml

@@ -155,7 +155,7 @@ jobs:
       WSLENV: FORCE_COLOR:PYTEST_REQPASS:TOXENV:TOX_PARALLEL_NO_SPINNER
       # Number of expected test passes, safety measure for accidental skip of
       # tests. Update value if you add/remove tests.
-      PYTEST_REQPASS: 625
+      PYTEST_REQPASS: 629
 
     steps:
       - name: Activate WSL1

.pre-commit-config.yaml

@@ -28,7 +28,8 @@ repos:
             examples/playbooks/templates/not-valid.yaml|
             examples/playbooks/with-umlaut-.*|
             examples/playbooks/with-skip-tag-id.yml|
-            test/fixtures/formatting-before/.*
+            test/fixtures/formatting-before/.*|
+            src/ansiblelint/schemas/.*
           )$
         additional_dependencies:
           - prettier
@@ -60,6 +61,7 @@ repos:
           (?x)^(
             examples/playbooks/(with-skip-tag-id|unicode).yml|
             examples/playbooks/example.yml|
+            test/eco/.*.result|
             test/fixtures/formatting-before/.*
           )$
       - id: mixed-line-ending
@@ -72,6 +74,10 @@ repos:
     rev: v2.1.0
     hooks:
       - id: codespell
+        exclude: >
+          (?x)^(
+            src/ansiblelint/schemas/.*\.json
+          )$
   - repo: https://github.com/PyCQA/doc8
     rev: 0.11.1
     hooks:
@@ -126,10 +132,11 @@ repos:
           - rich>=11.0.0
           - ruamel.yaml
           - sphinx>=4.4.0
-          - types-pyyaml>=6.0.4
           - types-dataclasses
           - types-docutils
+          - types-jsonschema>=4.4.2
           - types-pkg_resources
+          - types-pyyaml>=6.0.4
           - wcmatch
           - yamllint
         exclude: >
@@ -147,6 +154,7 @@ repos:
           - docutils
           - enrich
           - flaky
+          - jsonschema>=4.5.1
           - pytest
           - pyyaml
           - rich>=11.0.0

conftest.py

@@ -2,6 +2,9 @@
 import importlib
 import os
 import sys
+from typing import Any
+
+from ansiblelint.schemas import refresh_schemas
 
 # checking if user is running pytest without installing test dependencies:
 missing = []
@@ -18,3 +21,10 @@
 
 os.environ["NO_COLOR"] = "1"
 pytest_plugins = ["ansiblelint.testing.fixtures"]
+
+
+def pytest_configure(config: Any) -> None:
+    """Configure pytest."""
+    # run only on master node (xdist):
+    if not hasattr(config, "slaveinput"):
+        refresh_schemas()

cspell.config.yaml

@@ -17,6 +17,7 @@ ignorePaths:
   - docs/requirements.in
   # Test fixtures generated from outside
   - test/**/*.result
+  - src/ansiblelint/schemas/*.json
   # Other
   - "*.svg"
 allowCompoundWords: true

examples/galaxy.yml

@@ -11,5 +11,5 @@ dependencies:
   other_namespace.collection2: ">=2.0.0,<3.0.0"
   anderson55.my_collection: "*" # note: "*" selects the highest version available
 license:
-  - GPL
+  - GPL # <-- invalid license values based on galaxy schema
   - Apache

examples/playbooks/command-check-failure.yml

@@ -10,3 +10,4 @@
       ansible.builtin.shell: echo blah
       args:
         chdir: X
+      become_method: xx

examples/playbooks/json-schema-fail.yml

@@ -0,0 +1,4 @@
+---
+- name: This should raise json-schema error, due to hosts missing the last letter
+  host: localhost
+  tasks: []

examples/playbooks/schema-error-string.yml

@@ -0,0 +1,4 @@
+---
+foo
+# This file is valid YAML but from our point of view is an error, as is
+# neither a Sequence or a Mapping.

examples/playbooks/syntax-error-string.yml

@@ -1,3 +1,7 @@
-foo
-# This file is valid YAML but from our point of view is an error, as is
-# neither a Sequence or a Mapping.
+# This file is valid YAML and passed JSON Schema validation but not ansible
+# own syntax check.
+
+- hosts: localhost
+  tasks:
+    - name: invalid syntax
+      x.y.z.w: {}

examples/playbooks/vars/invalid_vars_schema.yml

@@ -0,0 +1,2 @@
+---
+123: true # invalid as schema expects string key

examples/roles/dependency_in_meta/meta/main.yml

@@ -1,6 +1,7 @@
 ---
 # meta file, determined by ending in meta/main.yml
 # https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html#role-dependencies
+allow_duplicates: true
 dependencies:
   # from Bitbucket
   - src: git+http://bitbucket.org/willthames/git-ansible-galaxy
@@ -35,6 +36,6 @@ galaxy_info:
   description: Testing meta
   company: Not applicable
   license: MIT
-  min_ansible_version: 2.5
+  min_ansible_version: "2.5"
   platforms:
     - name: Fedora

examples/roles/invalid_due_to_meta/meta/main.yml

@@ -1,9 +1,9 @@
 ---
 galaxy_info:
-  role_name: invalid-due-to-meta
+  role_name: invalid-due-to-meta # <-- invalid role name
   author: foo
   description: foo
   license: MIT
   platforms:
-    - name: foo
-  min_ansible_version: 2.7
+    - name: AIX
+  min_ansible_version: "2.7"

examples/roles/invalid_meta_schema/meta/main.yml

@@ -0,0 +1,8 @@
+---
+galaxy_info:
+  author: foo
+  description: false # <-- schema fail as string is expected
+  license: XXX
+  platforms:
+    - name: AIX
+  min_ansible_version: "2.7"

examples/roles/invalid_requirements_schema/meta/requirements.yml

@@ -0,0 +1,3 @@
+---
+# this should fail validation
+foo: bar

examples/roles/valid-due-to-meta/meta/main.yml

@@ -5,5 +5,5 @@ galaxy_info:
   description: foo
   license: MIT
   platforms:
-    - name: foo
-  min_ansible_version: 2.7
+    - name: Fedora
+  min_ansible_version: "2.7"

requirements.txt

@@ -8,7 +8,7 @@ alabaster==0.7.12
 ansible-compat==2.0.2
 ansible-core==2.12.5
 ansible-pygments==0.1.1
-astroid==2.11.3
+astroid==2.11.4
 attrs==21.4.0
 babel==2.10.1
 black==22.3.0
@@ -19,7 +19,7 @@ charset-normalizer==2.0.12
 click==8.1.3
 commonmark==0.9.1
 coverage==6.3.2
-cryptography==37.0.1
+cryptography==37.0.2
 dill==0.3.4
 docutils==0.16
 enrich==1.2.7
@@ -32,6 +32,7 @@ importlib-metadata==4.11.3
 iniconfig==1.1.1
 isort==5.10.1
 jinja2==3.1.2
+jsonschema==4.5.1
 lazy-object-proxy==1.7.1
 markdown-it-py==2.1.0
 markupsafe==2.1.1
@@ -44,7 +45,7 @@ mypy-extensions==0.4.3
 myst-parser==0.17.2
 packaging==21.3
 pathspec==0.9.0
-pbr==5.8.1
+pbr==5.9.0
 pipdeptree==2.2.1
 platformdirs==2.5.2
 pluggy==1.0.0
@@ -54,8 +55,9 @@ pycodestyle==2.8.0
 pycparser==2.21
 pyflakes==2.4.0
 pygments==2.12.0
-pylint==2.13.7
+pylint==2.13.8
 pyparsing==3.0.8
+pyrsistent==0.18.1
 pytest==7.1.2
 pytest-cov==3.0.0
 pytest-forked==1.4.0
@@ -85,7 +87,7 @@ tomli==2.0.1
 typing-extensions==4.2.0
 urllib3==1.26.9
 wcmatch==8.3
-wrapt==1.14.0
+wrapt==1.14.1
 yamllint==1.26.3
 zipp==3.8.0
 

setup.cfg

@@ -66,6 +66,7 @@ install_requires =
   ansible-compat>=2.0.2  # GPLv3
   ansible-core>=2.12.0  # GPLv3
   enrich>=1.2.6
+  jsonschema>=4.5.1  # MIT, first version to have ordered keys in output
   packaging
   pyyaml
   pytest

src/ansiblelint/config.py

@@ -9,6 +9,7 @@
     # Do not sort this list, order matters.
     {"jinja2": "**/*.j2"},  # jinja2 templates are not always parsable as something else
     {"jinja2": "**/*.j2.*"},
+    {"yaml": ".github/**/*.{yaml,yml}"},  # github workflows
     {"text": "**/templates/**/*.*"},  # templates are likely not validable
     {"inventory": "**/inventory/**.yml"},
     {"requirements": "**/meta/requirements.yml"},  # v1 only
@@ -55,6 +56,25 @@
 ]
 
 
+# Maps kinds to JSON schemas
+# See https://www.schemastore.org/json/
+JSON_SCHEMAS = {
+    # playbook and task schemas not used yet due jsonschema bug:
+    # https://github.com/python-jsonschema/jsonschema/issues/931
+    # "playbook": "https://raw.githubusercontent.com/ansible/schemas/main/f/ansible.json#/definitions/playbook",
+    # "tasks": "https://raw.githubusercontent.com/ansible/schemas/main/f/ansible.json#/definitions/tasks",
+    "vars": "https://raw.githubusercontent.com/ansible/schemas/main/f/ansible-vars.json",
+    "requirements": "https://raw.githubusercontent.com/ansible/schemas/main/f/ansible-requirements.json",
+    "meta": "https://raw.githubusercontent.com/ansible/schemas/main/f/ansible-meta.json",
+    "galaxy": "https://raw.githubusercontent.com/ansible/schemas/main/f/ansible-galaxy.json",
+    # unsupported yet:
+    "execution-environment": "https://raw.githubusercontent.com/ansible/schemas/main/f/ansible-ee.json",
+    "meta-runtime": "https://raw.githubusercontent.com/ansible/schemas/main/f/ansible-meta-runtime.json",
+    "inventory": "https://raw.githubusercontent.com/ansible/schemas/main/f/ansible-inventory.json",
+    "ansible-lint-config": "https://raw.githubusercontent.com/ansible/schemas/main/f/ansible-lint.json",
+    "ansible-navigator-config": "https://raw.githubusercontent.com/ansible/ansible-navigator/main/src/ansible_navigator/data/ansible-navigator.json",
+}
+
 options = Namespace(
     cache_dir=None,
     colored=True,

src/ansiblelint/rules/risky_file_permissions.py

@@ -293,11 +293,11 @@ def matchtask(
 
     FAIL_INI_PERMISSION = """
 - hosts: all
-    tasks:
-     - name: permissions needed if create is used
-       ini_file:
-         path: foo
-         create: true
+  tasks:
+    - name: permissions needed if create is used
+      ini_file:
+        path: foo
+        create: true
 """
 
     FAIL_INI_PRESERVE = """