diff --git a/.ansible-lint b/.ansible-lint
index 7a9eb05b..b6256e0b 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -1,4 +1,9 @@
 skip_list:
-  - '204'
-  - '301'
-  - '701'
+  - '204' # Lines should be no longer than 160 chars
+  - '301' # Commands should not change things if nothing needs doing
+  - '701' # 701 No 'galaxy_info' found
+  - unnamed-task
+  - risky-file-permissions
+  - no-jinja-nesting
+  - command-instead-of-shell # some Drupal 7 drush commands require shell
+  - command-instead-of-module
diff --git a/.github/workflows/ce-deploy-test.yml b/.github/workflows/ce-deploy-test.yml
index e68e8604..b93a6d3e 100644
--- a/.github/workflows/ce-deploy-test.yml
+++ b/.github/workflows/ce-deploy-test.yml
@@ -10,7 +10,7 @@ jobs:
     # Name the Job
     name: Run tests against Ansible code base
     # Set the type of machine to run on
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     steps:
       # Checks out a copy of your repository on the ubuntu-latest machine
diff --git a/roles/cache_clear/cache_clear-opcache/tasks/main.yml b/roles/cache_clear/cache_clear-opcache/tasks/main.yml
index 428e9053..97f91ed4 100644
--- a/roles/cache_clear/cache_clear-opcache/tasks/main.yml
+++ b/roles/cache_clear/cache_clear-opcache/tasks/main.yml
@@ -1,7 +1,9 @@
 ---
 - name: Get latest php installed
   ansible.builtin.shell:
-    cmd: 'ls -1 /etc/php/ | while read ver; do if [ -d "/etc/php/$ver/fpm" ]; then echo "$ver"; fi; done | tail -1'
+    cmd: 'set -o pipefail && ls -1 /etc/php/ | while read ver; do if [ -d "/etc/php/$ver/fpm" ]; then echo "$ver"; fi; done | tail -1'
+  args:
+    executable: /bin/bash
   register: _php_version
 
 - name: Set cachetool adapter.
@@ -9,16 +11,16 @@
     _cachetool_adapter: "{{ cache_clear_opcache.adapter | default('--fcgi=127.0.0.1:90' + _php_version.stdout | replace('.','')) }}"
 
 - name: Clear opcache.
-  command:
+  ansible.builtin.command:
     cmd: "{{ cachetool_bin }} {{ _cachetool_adapter }} -n opcache:reset"
   when: cache_clear_opcache.clear_opcache
 
 - name: Clear apcu.
-  command:
+  ansible.builtin.command:
     cmd: "{{ cachetool_bin }} {{ _cachetool_adapter }} -n apcu:cache:clear"
   when: cache_clear_opcache.clear_apcu
 
 - name: Clear stats.
-  command:
+  ansible.builtin.command:
     cmd: "{{ cachetool_bin }} {{ _cachetool_adapter }} -n stat:clear"
   when: cache_clear_opcache.clear_stat
diff --git a/roles/cli/cachetool/tasks/main.yml b/roles/cli/cachetool/tasks/main.yml
index 2e2a49d1..c0cbce61 100644
--- a/roles/cli/cachetool/tasks/main.yml
+++ b/roles/cli/cachetool/tasks/main.yml
@@ -14,10 +14,15 @@
     - deploy_operation == 'deploy'
 
 - name: Download cachetool depending on latest php version installed. # If not specified manually, according to https://github.com/gordalina/cachetool#compatibility
+  when:
+    - deploy_operation == 'deploy'
+    - cachetool.version | length == 0
   block:
     - name: Get latest php installed
       ansible.builtin.shell:
-        cmd: 'ls -1 /etc/php/ | while read ver; do if [ -d "/etc/php/$ver/fpm" ]; then echo "$ver"; fi; done | tail -1 | sed -e "s/\\.//g"'
+        cmd: 'set -o pipefail && ls -1 /etc/php/ | while read ver; do if [ -d "/etc/php/$ver/fpm" ]; then echo "$ver"; fi; done | tail -1 | sed -e "s/\\.//g"'
+      args:
+        executable: /bin/bash
       register: _php_version_str
 
     - name: Download latest cachetool installer if PHP is 8.1 or newer.
@@ -69,10 +74,6 @@
       when:
         - _php_version_str.stdout | int < 71
 
-  when:
-    - deploy_operation == 'deploy'
-    - cachetool.version | length == 0
-
 - name: "Download the specified {{ cachetool.version }} cachetool version installer."
   ansible.builtin.get_url:
     url: "http://gordalina.github.io/cachetool/downloads/cachetool-{{ cachetool.version }}.phar"
diff --git a/roles/cli/drush/tasks/main.yml b/roles/cli/drush/tasks/main.yml
index ec470c27..8d35ae1c 100644
--- a/roles/cli/drush/tasks/main.yml
+++ b/roles/cli/drush/tasks/main.yml
@@ -16,7 +16,9 @@
   register: drush_global_directory
 
 - name: Check if installed Drush version match.
-  ansible.builtin.shell: "{{ drush_bin }} --version | grep -o '[0-9]\\.[0-9]\\.[0-9]'"
+  ansible.builtin.shell: "set -o pipefail && {{ drush_bin }} --version | grep -o '[0-9]\\.[0-9]\\.[0-9]'"
+  args:
+    executable: /bin/bash
   register: drush_global_version
   when:
     - deploy_operation == 'deploy'
diff --git a/roles/database_apply/database_apply-drupal7/tasks/ctools.yml b/roles/database_apply/database_apply-drupal7/tasks/ctools.yml
index 8102d3d6..518996ab 100644
--- a/roles/database_apply/database_apply-drupal7/tasks/ctools.yml
+++ b/roles/database_apply/database_apply-drupal7/tasks/ctools.yml
@@ -2,8 +2,10 @@
 # For some reason D7 drush doesn't respect 'chdir' with command, using shell instead.
 - name: Check if Ctools module is enabled.
   ansible.builtin.shell:
-    cmd: "{{ drush_bin }} pm-info ctools | grep ':  enabled' | wc -l"
+    cmd: "set -o pipefail && {{ drush_bin }} pm-info ctools | grep ':  enabled' | wc -l"
     chdir: "{{ deploy_path }}/{{ webroot }}/sites/{{ site.folder }}"
+  args:
+    executable: /bin/bash
   register: ctools_enabled
 
 - name: Revert Drupal configuration from Ctools.
diff --git a/roles/database_apply/database_apply-drupal7/tasks/features.yml b/roles/database_apply/database_apply-drupal7/tasks/features.yml
index f55795dc..2b4357eb 100644
--- a/roles/database_apply/database_apply-drupal7/tasks/features.yml
+++ b/roles/database_apply/database_apply-drupal7/tasks/features.yml
@@ -1,7 +1,9 @@
 ---
 # For some reason D7 drush doesn't respect 'chdir' with command, using shell instead.
 - name: Check if Features module is enabled.
-  ansible.builtin.shell: "cd {{ deploy_path }}/{{ webroot }}/sites/{{ site.folder }} && {{ drush_bin }} -l {{ site.folder }} pm-info features | grep ':  enabled' | wc -l"
+  ansible.builtin.shell: "set -o pipefail && cd {{ deploy_path }}/{{ webroot }}/sites/{{ site.folder }} && {{ drush_bin }} -l {{ site.folder }} pm-info features | grep ':  enabled' | wc -l"
+  args:
+    executable: /bin/bash
   register: features_enabled
 
 - name: Revert Drupal configuration from Features.
diff --git a/roles/database_apply/database_apply-drupal7/tasks/main.yml b/roles/database_apply/database_apply-drupal7/tasks/main.yml
index 6b745c3b..d64364c4 100644
--- a/roles/database_apply/database_apply-drupal7/tasks/main.yml
+++ b/roles/database_apply/database_apply-drupal7/tasks/main.yml
@@ -12,8 +12,10 @@
   when: previous_build_number == 0 or (site.force_install is defined and site.force_install)
 
 - name: Fix permissions on Drupal directory.
-  ansible.builtin.shell:
-    cmd: "chmod 755 {{ deploy_path }}/{{ webroot }}/sites/{{ site.folder }}"
+  ansible.builtin.file:
+    path: "{{ deploy_path }}/{{ webroot }}/sites/{{ site.folder }}"
+    state: directory
+    mode: '0755'
   with_items: "{{ drupal.sites }}"
   loop_control:
     loop_var: site
diff --git a/roles/database_apply/database_apply-drupal8/tasks/main.yml b/roles/database_apply/database_apply-drupal8/tasks/main.yml
index 16f0417b..4dc66a3a 100644
--- a/roles/database_apply/database_apply-drupal8/tasks/main.yml
+++ b/roles/database_apply/database_apply-drupal8/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: Fix file permissions for settings.php.
-  file:
+  ansible.builtin.file:
     state: file
     path: "{{ deploy_path }}/{{ webroot }}/sites/{{ site.folder }}/settings.php"
     owner: "{{ www_user }}"
@@ -14,7 +14,7 @@
     - previous_build_number == 0
 
 - name: Install Drupal.
-  command:
+  ansible.builtin.command:
     cmd: "{{ drush_bin }} -l {{ site.folder }} {{ site.install_command }}"
     chdir: "{{ deploy_path }}/{{ webroot }}/sites/{{ site.folder }}"
   become: "{{ 'no' if www_user == deploy_user else 'yes' }}"
@@ -25,8 +25,10 @@
   when: (previous_build_number == 0) or (site.force_install is defined and site.force_install)
 
 - name: Fix permissions on Drupal directory.
-  shell:
-    cmd: "chmod 755 {{ deploy_path }}/{{ webroot }}/sites/{{ site.folder }}"
+  ansible.builtin.file:
+    path: "{{ deploy_path }}/{{ webroot }}/sites/{{ site.folder }}"
+    state: directory
+    mode: '0755'
   with_items: "{{ drupal.sites }}"
   loop_control:
     loop_var: site
@@ -48,7 +50,7 @@
   when: previous_build_number > 0
 
 - name: Apply Drupal database updates.
-  command:
+  ansible.builtin.command:
     cmd: "{{ drush_bin }} -l {{ site.folder }} -y updb"
     chdir: "{{ deploy_path }}/{{ webroot }}/sites/{{ site.folder }}"
   become: "{{ 'no' if www_user == deploy_user else 'yes' }}"
@@ -59,7 +61,7 @@
   when: site.config_import_command != 'deploy'
 
 - name: Import configuration.
-  command:
+  ansible.builtin.command:
     cmd: "{{ drush_bin }} -l {{ site.folder }} -y {{ site.config_import_command }}"
     chdir: "{{ deploy_path }}/{{ webroot }}/sites/{{ site.folder }}"
   become: "{{ 'no' if www_user == deploy_user else 'yes' }}"
diff --git a/roles/database_backup/database_backup-mysql/tasks/deploy-dump.yml b/roles/database_backup/database_backup-mysql/tasks/deploy-dump.yml
index 80a6e5ef..9f6f6959 100644
--- a/roles/database_backup/database_backup-mysql/tasks/deploy-dump.yml
+++ b/roles/database_backup/database_backup-mysql/tasks/deploy-dump.yml
@@ -23,6 +23,8 @@
   run_once: true
 
 - name: Take a database dump.
-  ansible.builtin.shell: "mysqldump --defaults-extra-file={{ database.credentials_file }} {{ mysql_backup.mysqldump_params }} {{ database.database }} | bzip2 > {{ mysql_backup.dumps_directory }}/{{ _mysql_host }}/{{ database.database }}-{{ previous_build_number }}.sql.bz2"
+  ansible.builtin.shell: "set -o pipefail && mysqldump --defaults-extra-file={{ database.credentials_file }} {{ mysql_backup.mysqldump_params }} {{ database.database }} | bzip2 > {{ mysql_backup.dumps_directory }}/{{ _mysql_host }}/{{ database.database }}-{{ previous_build_number }}.sql.bz2"
+  args:
+    executable: /bin/bash
   when: previous_build_number > 0
   run_once: true
diff --git a/roles/database_backup/database_backup-mysql/tasks/deploy-rolling.yml b/roles/database_backup/database_backup-mysql/tasks/deploy-rolling.yml
index f7f109bc..aec45596 100644
--- a/roles/database_backup/database_backup-mysql/tasks/deploy-rolling.yml
+++ b/roles/database_backup/database_backup-mysql/tasks/deploy-rolling.yml
@@ -22,6 +22,8 @@
 #  run_once: true
 
 - name: Populate new database.
-  ansible.builtin.shell: "mysqldump --defaults-extra-file={{ database.credentials_file }} {{ mysql_backup.mysqldump_params }} {{ _mysql_previous_build_database_name }} | mysql --defaults-extra-file={{ database.credentials_file }} {{ _mysql_build_database_name }}"
+  ansible.builtin.shell: "set -o pipefail && mysqldump --defaults-extra-file={{ database.credentials_file }} {{ mysql_backup.mysqldump_params }} {{ _mysql_previous_build_database_name }} | mysql --defaults-extra-file={{ database.credentials_file }} {{ _mysql_build_database_name }}"
+  args:
+    executable: /bin/bash
   when: previous_build_number > 0
   run_once: true
diff --git a/roles/database_backup/database_backup-mysql/tasks/revert-dump.yml b/roles/database_backup/database_backup-mysql/tasks/revert-dump.yml
index f914ee78..80898e7d 100644
--- a/roles/database_backup/database_backup-mysql/tasks/revert-dump.yml
+++ b/roles/database_backup/database_backup-mysql/tasks/revert-dump.yml
@@ -1,5 +1,7 @@
 ---
 - name: Revert database from dump.
-  ansible.builtin.shell: "bzcat {{ mysql_backup.dumps_directory }}/{{ _mysql_host }}/{{ database.database }}-{{ previous_build_number }}.sql.bz2 | mysql --defaults-extra-file={{ database.credentials_file }} {{ database.database }}"
+  ansible.builtin.shell: "set -o pipefail && bzcat {{ mysql_backup.dumps_directory }}/{{ _mysql_host }}/{{ database.database }}-{{ previous_build_number }}.sql.bz2 | mysql --defaults-extra-file={{ database.credentials_file }} {{ database.database }}"
+  args:
+    executable: /bin/bash
   when: previous_build_number > 0
   run_once: true
diff --git a/roles/deploy_code/tasks/cleanup.yml b/roles/deploy_code/tasks/cleanup.yml
index 27878342..db2bb9bb 100644
--- a/roles/deploy_code/tasks/cleanup.yml
+++ b/roles/deploy_code/tasks/cleanup.yml
@@ -127,7 +127,9 @@
 
 - name: Check if we have a mount already.
   ansible.builtin.shell:
-    cmd: "mount | grep {{ deploy_base_path }}"
+    cmd: "set -o pipefail && mount | grep {{ deploy_base_path }}"
+  args:
+    executable: /bin/bash
   failed_when: false
   register: _deploy_code_mount_check
   when:
diff --git a/roles/sync/database_sync/database_sync-mysql/tasks/sync.yml b/roles/sync/database_sync/database_sync-mysql/tasks/sync.yml
index 29100ab5..c695982c 100644
--- a/roles/sync/database_sync/database_sync-mysql/tasks/sync.yml
+++ b/roles/sync/database_sync/database_sync-mysql/tasks/sync.yml
@@ -61,7 +61,9 @@
   when: not database.source.type == 'rolling'
 
 - name: Take a dump from source database.
-  ansible.builtin.shell: "mysqldump --defaults-extra-file={{ database.source.credentials_file }} {{ mysql_sync.mysqldump_params }} {{ mysql_sync_source_database }} | bzip2 > {{ mysql_sync_source_dump_path }}"
+  ansible.builtin.shell: "set -o pipefail && mysqldump --defaults-extra-file={{ database.source.credentials_file }} {{ mysql_sync.mysqldump_params }} {{ mysql_sync_source_database }} | bzip2 > {{ mysql_sync_source_dump_path }}"
+  args:
+    executable: /bin/bash
   delegate_to: "{{ database.source.host }}"
   when:
     - database.source.fresh_db
@@ -133,7 +135,9 @@
     cmd: "mysql --defaults-extra-file={{ database.target.credentials_file }} -e 'create database {{ mysql_sync_target_database }};'"
 
 - name: Repopulate database from dump.
-  ansible.builtin.shell: "bzcat {{ mysql_sync_target_dump_path }} | mysql --defaults-extra-file={{ database.target.credentials_file }} {{ mysql_sync_target_database }}"
+  ansible.builtin.shell: "set -o pipefail && bzcat {{ mysql_sync_target_dump_path }} | mysql --defaults-extra-file={{ database.target.credentials_file }} {{ mysql_sync_target_database }}"
+  args:
+    executable: /bin/bash
 
 - name: Remove tmp dump file.
   ansible.builtin.file: