feat: Add support for Debian 13 (apt-key removed) + molecule tests

.gitignore

@@ -6,3 +6,4 @@
 !.vscode/settings.json
 !.vscode/extensions.json
 .idea
+molecule/*/tests/__pycache__/

README.md

@@ -28,7 +28,7 @@
 Using `ansible-galaxy`:
 
 ```shell
-$ ansible-galaxy install weareinteractive.apt
+ansible-galaxy install weareinteractive.apt
 ```
 
 Using `requirements.yml`:
@@ -40,7 +40,7 @@ Using `requirements.yml`:
 Using `git`:
 
 ```shell
-$ git clone https://github.com/weareinteractive/ansible-apt.git weareinteractive.apt
+git clone https://github.com/weareinteractive/ansible-apt.git weareinteractive.apt
 ```
 
 ## Dependencies
@@ -227,7 +227,6 @@ These are the handlers that are defined in `handlers/main.yml`.
 
 ```
 
-
 ## Usage
 
 This is an example playbook:
@@ -266,16 +265,16 @@ This is an example playbook:
 
 ```
 
-
 ## Testing
 
 ```shell
-$ git clone https://github.com/weareinteractive/ansible-apt.git
-$ cd ansible-apt
-$ make test
+git clone https://github.com/weareinteractive/ansible-apt.git
+cd ansible-apt
+uv run molecule test
 ```
 
 ## Contributing
+
 In lieu of a formal style guide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality.
 
 1. Fork it
@@ -287,9 +286,10 @@ In lieu of a formal style guide, take care to maintain the existing coding style
 *Note: To update the `README.md` file please install and run `ansible-role`:*
 
 ```shell
-$ gem install ansible-role
-$ ansible-role docgen
+gem install ansible-role
+ansible-role docgen
 ```
 
 ## License
+
 Copyright (c) We Are Interactive under the MIT license.

defaults/main.yml

@@ -22,7 +22,7 @@
 #     state: present
 #     update_cache: yes
 
-# depenencies packages
+# dependencies packages
 apt_dependencies:
   - aptitude
   - python3-apt

molecule/default/Dockerfile.j2

@@ -0,0 +1,22 @@
+# Molecule managed
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+{% if item.env is defined %}
+{% for var, value in item.env.items() %}
+{% if value %}
+ENV {{ var }} {{ value }}
+{% endif %}
+{% endfor %}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
+    elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi

molecule/default/converge.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Converge
+  hosts: all
+  become: true
+  roles:
+    - ansible-apt
+  # vars are defined in group_vars/all.yml

molecule/default/group_vars/all.yml

@@ -0,0 +1,26 @@
+---
+apt_cache_valid_time: 7200
+apt_packages:
+  - vim
+  - tree
+  - name: ca-certificates
+    state: latest
+    hold: true
+  - name: zsh
+    state: absent
+    purge: true
+apt_mails:
+  - root
+apt_preferences:
+  - file: perl
+    package: perl
+    pin: "version 5.20*"
+    priority: 1001
+apt_unattended_upgrades_notify_error_only: false
+apt_remove_recommends: true
+apt_remove_suggests: true
+apt_remove_purge: true
+apt_keys:
+  - id: 35BAA0B33E9EB396F59CA838C0BA5CE6DC6315A3
+    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
+    keyring: /etc/apt/trusted.gpg.d/kubernetes.gpg

molecule/default/molecule.yml

@@ -0,0 +1,48 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint: |
+  yamllint .
+  ansible-lint
+  ruff
+platforms:
+  - name: ansible-apt-debian11
+    image: python:bullseye
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    tmpfs:
+      - /run
+      - /tmp
+    cgroupns_mode: host
+    pre_build_image: true
+
+  - name: ansible-apt-debian12
+    image: python:bookworm
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    tmpfs:
+      - /run
+      - /tmp
+    cgroupns_mode: host
+    pre_build_image: true
+
+  - name: ansible-apt-debian13
+    image: python:trixie
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    tmpfs:
+      - /run
+      - /tmp
+    cgroupns_mode: host
+    pre_build_image: true
+
+
+provisioner:
+  name: ansible
+verifier:
+  name: testinfra
+# Verbose tests
+  options:
+    s: true

molecule/default/prepare.yml

@@ -0,0 +1,25 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: true
+  pre_tasks:
+
+    - name: Pre-conf for deb based OS
+      when: ansible_facts["pkg_mgr"] == 'apt'
+      block:
+        - name: Set python interpreter
+          ansible.builtin.set_fact:
+            ansible_python_interpreter: "/usr/bin/python3"
+        - name: Update apt cache
+          ansible.builtin.apt:
+            update_cache: true
+        - name: Install required packages
+          ansible.builtin.apt:
+            name:
+              - zsh   # Install zsh to test apt package removal
+              - python3
+              - python3-apt
+              - sudo
+              - curl
+              - gpg
+            state: present

molecule/default/tests/test_default.py

@@ -0,0 +1,48 @@
+import os
+import os.path
+import pytest
+import pprint
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+@pytest.fixture(scope='module')
+def ansible_variables(host):
+    return host.ansible.get_variables()
+
+
+# Assert requuested packages are present
+def test_package_installed(host):
+    assert host.package("vim").is_installed
+    assert host.package("tree").is_installed
+
+
+# Assert removed packages are absent
+def test_package_removed(host):
+    assert host.package("zsh").is_installed is False
+
+
+# Assert apt key is present
+def test_apt_key_present(host, ansible_variables):
+    apt_key = ansible_variables.get('apt_keys', None)
+    assert apt_key is not None
+    assert len(apt_key) > 0
+    apt_key = apt_key[0]
+    assert host.file(apt_key['keyring']).exists
+
+
+# Assert apt pin for package is present
+def test_apt_pin_present(host, ansible_variables):
+    apt_pin = ansible_variables.get('apt_preferences', None)
+    assert apt_pin is not None
+    assert len(apt_pin) > 0
+    apt_pin = apt_pin[0]
+    pin_file = f"/etc/apt/preferences.d/{apt_pin['file']}"
+    f = host.file(pin_file)
+    assert f.exists
+    assert f.contains(f"Package: {apt_pin['package']}")
+    assert f.contains(f"Pin: {apt_pin['pin']}")
+    assert f.contains(f"Pin-Priority: {apt_pin['priority']}")

pyproject.toml

@@ -5,7 +5,7 @@ requires-python = "~=3.13.0"
 dependencies = ["commitizen"]
 
 [dependency-groups]
-dev = []
+dev = ["molecule", "testinfra", "molecule-plugins[docker]", "ansible-lint"]
 
 [tool.uv]
 package = false

tasks/keys.yml

@@ -2,7 +2,7 @@
 
 - name: Adding apt signing key
   become: true
-  apt_key:
+  ansible.builtin.apt_key:
     id: "{{ item.id | default(omit) }}"
     file: "{{ item.file | default(omit) }}"
     data: "{{ item.data | default(omit) }}"
@@ -12,3 +12,45 @@
     validate_certs: "{{ item.validate_certs | default(omit) }}"
     state: "{{ item.state | default('present') }}"
   with_items: "{{ apt_keys }}"
+  # apt-key is deprecated in Debian 12 and Ubuntu 22.04+ and removed in Debian 13 and Ubuntu 24.04+
+  when: ansible_facts["distribution"] == 'Debian' and ansible_facts["distribution_major_version"] is version('12', '<=') or
+        ansible_facts["distribution"] == 'Ubuntu' and ansible_facts["distribution_major_version"] is version('22', '<=')
+
+
+# apt-key is removed in Debian 13 and Ubuntu 24.04+
+# manual operations to add/remove apt keys
+# FIXME: keyserver and validate_certs options are not supported in this block
+- name: Adding apt signing key (manual operations)
+  become: true
+  when: ansible_facts["distribution"] == 'Debian' and ansible_facts["distribution_major_version"] is version('13', '>=') or
+        ansible_facts["distribution"] == 'Ubuntu' and ansible_facts["distribution_major_version"] is version('24', '>=')
+  block:
+    - name: Get apt signing key from URL (manual)
+      ansible.builtin.get_url:
+        url: "{{ item.url }}"
+        dest: "{{ item.keyring }}"
+        mode: '0644'
+        force: true
+      with_items: "{{ apt_keys }}"
+      when:
+        - item.keyring is defined
+        - item.url is defined
+        - item.state is not defined or item.state == 'present'
+    - name: Create apt keyring file from provided key data (manual)
+      ansible.builtin.copy:
+        content: "{{ item.data }}"
+        dest: "{{ item.keyring }}"
+        mode: '0644'
+      with_items: "{{ apt_keys }}"
+      when:
+        - item.keyring is defined
+        - item.data is defined
+        - item.state is not defined or item.state == 'present'
+    - name: Remove key if requested (manual)
+      ansible.builtin.file:
+        state: absent
+        path: "{{ item.keyring }}"
+      with_items: "{{ apt_keys }}"
+      when:
+        - item.state is defined
+        - item.state == 'absent'