fix(CI): specify more robust conditional on j2 template #14

	name: ci

	concurrency:
	cancel-in-progress: ${{ ! startsWith(github.ref, 'refs/tags/v') }}
	group: ci-${{ github.ref_name }}-${{ github.event_name }}

	on:
	push:
	branches:
	- main

	env:
	ANSIBLE_FORCE_COLOR: "1"
	PY_COLORS: "1"

	jobs:
	trivy:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	strategy:
	fail-fast: false
	matrix:
	scan-type:
	- fs
	- config
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Cache trivy db
	uses: actions/cache@v4
	with:
	path: ~/.cache/trivy
	key: ${{ runner.os }}-trivy-db-${{ hashFiles('**/trivy.yaml') }}
	- name: Run Trivy vulnerability scanner in fs mode
	uses: aquasecurity/trivy-action@master
	with:
	format: sarif
	ignore-unfixed: true
	output: trivy-results.sarif
	scan-ref: .
	scan-type: ${{ matrix.scan-type }}
	severity: CRITICAL,HIGH
	trivy-config: trivy.yaml
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: "trivy-results.sarif"

	test:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	services:
	prometheus:
	image: prom/prometheus:v2.54.1
	ports:
	- 9090:9090
	env:
	VMAGENT_REMOTE_WRITE_URL: http://localhost:9090/api/v1/write
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Check ansible
	run: ansible --version
	- name: Prepare localhost inventory
	run: \|
	cat << 'EOF' > localhost.yml
	all:
	hosts:
	localhost:
	ansible_connection: local
	EOF
	- name: Ansible playbook
	run: ansible-playbook playbook.yml -i localhost.yml

Provide feedback