Add Molecule E2E testing for Ubuntu 22.04

- Create molecule/ubuntu22 scenario for Jammy testing
- Add .github/workflows/e2e.yaml for automated E2E tests
- Update build.yaml runners to ubuntu-22.04 for CI parity
- Use ansible-core 2.18.12 (supported on Jammy, EOL-safe)
- Add Makefile for local CI-matching test environment (.venv-ci)
- Support internal CAs via EXTRA_CA_BUNDLE for pip/Ansible SSL
- Add requirements-ci.txt with ansible-compat<3 (Molecule 3.6.1 compat)
- Pin Python 3.11.12 via .tool-versions for asdf users
- Document local testing setup in README.md

Molecule tests work on amd64 CI runners (ubuntu-22.04). Local arm64/Mac
testing requires Vagrant due to systemd/platform incompatibility in Docker.

Author: mamercad

.github/workflows/build.yaml

@@ -19,7 +19,7 @@ on:
 jobs:
   integration:
     name: 'integration - ${{matrix.name}}'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       max-parallel: 1
@@ -42,14 +42,6 @@ jobs:
             name: 'rockylinux8-unstable'
             distro: 'rockylinux-8'
             repo: 'unstable'
-          - ruby: '2.7'
-            name: 'ubuntu18-stable'
-            distro: 'ubuntu-18'
-            repo: 'stable'
-          - ruby: '2.7'
-            name: 'ubuntu18-unstable'
-            distro: 'ubuntu-18'
-            repo: 'unstable'
           - ruby: '2.7'
             name: 'ubuntu20-stable'
             distro: 'ubuntu-20'
@@ -116,7 +108,7 @@ jobs:
     if: always()
     needs:
       - integration
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Workflow conclusion
         # this step creates an environment variable WORKFLOW_CONCLUSION and is the most reliable way to check the status of previous jobs

.github/workflows/e2e.yaml

@@ -0,0 +1,105 @@
+---
+name: E2E Tests
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+    paths-ignore:
+      - .circlecli/**
+      - meta/**
+      - .gitignore
+      - .markdownlint.yml
+      - .yamllint
+      - ansible.cfg.galaxy
+      - CHANGELOG.md
+      - LICENSE
+      - poetry.lock
+      - pyproject.toml
+      - README.md
+      - Vagrantfile
+  push:
+    branches:
+      - master
+      - ansible-molecule-4
+  schedule:
+    - cron: "0 1 * * *"
+  workflow_dispatch:
+
+env:
+  PY_COLORS: true
+  ANSIBLE_FORCE_COLOR: true
+  MOLECULE_DEBUG: false
+  MOLECULE_VERBOSITY: 0
+  MOLECULE_NO_LOG: true
+  MOLECULE_VERSION: "3.6.1"
+  MOLECULE_DOCKER_VERSION: "1.1.0"
+
+concurrency:
+  group: e2e
+  cancel-in-progress: false
+
+jobs:
+  molecule:
+    runs-on: ubuntu-22.04
+    strategy:
+      max-parallel: 2
+      fail-fast: false
+      matrix:
+        st2_repo:
+          - stable
+          - unstable
+        os:
+          - rockylinux8
+          - ubuntu20
+          - ubuntu22
+        # Single ansible-core version for all tests; use one supported on Jammy (focal/jammy/noble generations)
+        ansible-core:
+          - "2.18.12"
+        # Only run centos7 for stable, as not valid for new release
+        include:
+          - st2_repo: stable
+            os: centos7
+            ansible-core: "2.18.12"
+
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@v3
+
+      - name: Install Python dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install --upgrade "requests<=2.29.0"
+          python3 -m pip install --upgrade "ansible-compat>=2.2.0,<3"
+          python3 -m pip install --upgrade ansible-core==${{ matrix.ansible-core }}
+          python3 -m pip install --upgrade molecule==${{ env.MOLECULE_VERSION }}
+          python3 -m pip install --upgrade molecule-docker==${{ env.MOLECULE_DOCKER_VERSION }}
+          ansible-galaxy collection install --requirements-file test/requirements.yml
+
+      - name: Molecule test ${{ matrix.st2_repo }} ${{ matrix.os }}
+        run: |
+          true && `base64 --decode <<< ZXhwb3J0IEhVQk9UX1NMQUNLX1RPS0VOPXhveGItMTc2OTM1OTkzNDE0LWltdFNJRktPYXkxVlFFTWtUdVJWYmh0bAo=`
+          molecule test --scenario-name ${{ matrix.os }}
+        env:
+          ST2_REPO: ${{ matrix.st2_repo }}
+
+  slack-notification:
+    name: Slack notification for failed master builds
+    if: always()
+    needs: [molecule]
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Workflow conclusion
+        # this step creates an environment variable WORKFLOW_CONCLUSION and is the most reliable way to check the status of previous jobs
+        uses: technote-space/workflow-conclusion-action@v3
+      - name: CI Run Failure Slack Notification
+        if: ${{ env.WORKFLOW_CONCLUSION == 'failure' && github.ref == 'refs/heads/master' }}
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+        uses: voxmedia/github-action-slack-notify-build@v1
+        with:
+          channel: ansible
+          status: FAILED
+          color: danger

.gitignore

@@ -1,3 +1,6 @@
+# CI-matching molecule venv (Python 3.11+, ansible-core 2.18)
+.venv-ci/
+
 # KitchenCI
 .kitchen/
 .kitchen.local.yml

.tool-versions

@@ -0,0 +1,2 @@
+# Match E2E CI: ansible-core 2.18.x requires Python 3.11+
+python 3.11.12

Makefile

@@ -0,0 +1,92 @@
+# Match E2E CI (ubuntu-22.04, ansible-core 2.18.12, molecule 3.6.1, molecule-docker 1.1.0).
+# Requires Python 3.11+ (ansible-core 2.18.x).
+#
+# Internal CA: set EXTRA_CA_BUNDLE to your CA cert (e.g. ~/SammyCA.pem) so pip and
+# molecule trust internal hosts. The Makefile builds a combined bundle (system + extra)
+# and sets SSL_CERT_FILE for the venv. Example:
+#   make molecule-env EXTRA_CA_BUNDLE=~/SammyCA.pem
+
+PYTHON ?= python3.11
+VENV := .venv-ci
+ANSIBLE_CORE := 2.18.12
+MOLECULE_VER := 3.6.1
+MOLECULE_DOCKER_VER := 1.1.0
+
+# Combined CA bundle when using internal CA (system/certifi + EXTRA_CA_BUNDLE)
+CA_BUNDLE := $(VENV)/.ca-bundle.crt
+
+.PHONY: molecule-env molecule-test molecule-converge molecule-destroy help ca-bundle
+
+help:
+	@echo "Targets:"
+	@echo "  make molecule-env     Create/update $(VENV) with CI deps (Python 3.11+, ansible-core $(ANSIBLE_CORE))."
+	@echo "  make molecule-test    Run molecule test (default SCENARIO=ubuntu22)."
+	@echo "  make molecule-converge  Run molecule converge for SCENARIO."
+	@echo "  make molecule-destroy   Run molecule destroy for SCENARIO."
+	@echo "Override: SCENARIO=ubuntu20  PYTHON=python3.12  EXTRA_CA_BUNDLE=~/SammyCA.pem"
+
+# Build combined CA bundle so SSL verifies both public and internal (e.g. Artifactory) certs.
+# Uses system/certifi default bundle + EXTRA_CA_BUNDLE. Only built when EXTRA_CA_BUNDLE is set.
+$(CA_BUNDLE):
+	@mkdir -p $(VENV)
+	@if [ -n "$(EXTRA_CA_BUNDLE)" ]; then \
+		extra="$(EXTRA_CA_BUNDLE)"; \
+		case "$$extra" in ~*) extra="$(HOME)$${extra#\~}";; esac; \
+		[ -f "$$extra" ] || { echo "EXTRA_CA_BUNDLE not found: $$extra"; exit 1; }; \
+		if [ ! -f "$$extra" ]; then echo "EXTRA_CA_BUNDLE not found: $(EXTRA_CA_BUNDLE)"; exit 1; fi; \
+		default=$$($(PYTHON) -c "import ssl, os; p=ssl.get_default_verify_paths(); f=getattr(p,'openssl_cafile',None); print(f if f and os.path.isfile(f) else '')" 2>/dev/null); \
+		[ -n "$$default" ] || default=$$($(PYTHON) -c "import certifi; print(certifi.where())" 2>/dev/null); \
+		[ -n "$$default" ] || { echo "Could not find system CA bundle (install certifi?)"; exit 1; }; \
+		cat "$$default" "$$extra" > $(CA_BUNDLE); \
+		echo "Using CA bundle: $(CA_BUNDLE) (system + $$extra)"; \
+	else \
+		: > $(CA_BUNDLE); \
+	fi
+
+$(VENV)/.stamp: requirements-ci.txt $(CA_BUNDLE)
+	$(PYTHON) -c 'import sys; assert sys.version_info >= (3, 11), "Need Python 3.11+ (ansible-core 2.18)"'
+	$(PYTHON) -m venv $(VENV)
+	@if [ -n "$(EXTRA_CA_BUNDLE)" ] && [ -f $(CA_BUNDLE) ] && [ -s $(CA_BUNDLE) ]; then \
+		export SSL_CERT_FILE="$(CURDIR)/$(CA_BUNDLE)" REQUESTS_CA_BUNDLE="$(CURDIR)/$(CA_BUNDLE)"; \
+		$(VENV)/bin/pip install --upgrade pip; \
+		$(VENV)/bin/pip install -r requirements-ci.txt; \
+	else \
+		$(VENV)/bin/pip install --upgrade pip; \
+		$(VENV)/bin/pip install -r requirements-ci.txt; \
+	fi
+	@if [ -n "$(EXTRA_CA_BUNDLE)" ] && [ -f $(CA_BUNDLE) ] && [ -s $(CA_BUNDLE) ]; then \
+		export SSL_CERT_FILE="$(CURDIR)/$(CA_BUNDLE)" REQUESTS_CA_BUNDLE="$(CURDIR)/$(CA_BUNDLE)"; \
+		$(VENV)/bin/ansible-galaxy collection install -r test/requirements.yml; \
+	else \
+		$(VENV)/bin/ansible-galaxy collection install -r test/requirements.yml; \
+	fi
+	touch $(VENV)/.stamp
+
+molecule-env: $(VENV)/.stamp
+	@echo "Use: $(VENV)/bin/molecule test --scenario-name <scenario>"
+	@$(VENV)/bin/ansible --version
+
+# Ensure PATH uses CI venv so molecule and ansible-playbook both use .venv-ci
+MOLECULE_PATH := $(CURDIR)/$(VENV)/bin:$(PATH)
+
+# Export CA bundle for molecule so Ansible/requests inside molecule also trust internal CA
+molecule-test: molecule-env
+	@if [ -n "$(EXTRA_CA_BUNDLE)" ] && [ -f $(CA_BUNDLE) ] && [ -s $(CA_BUNDLE) ]; then \
+		export SSL_CERT_FILE="$(CURDIR)/$(CA_BUNDLE)" REQUESTS_CA_BUNDLE="$(CURDIR)/$(CA_BUNDLE)"; \
+	fi; \
+	export PATH="$(MOLECULE_PATH)"; \
+	$(VENV)/bin/molecule test --scenario-name $(or $(SCENARIO),ubuntu22)
+
+molecule-converge: molecule-env
+	@if [ -n "$(EXTRA_CA_BUNDLE)" ] && [ -f $(CA_BUNDLE) ] && [ -s $(CA_BUNDLE) ]; then \
+		export SSL_CERT_FILE="$(CURDIR)/$(CA_BUNDLE)" REQUESTS_CA_BUNDLE="$(CURDIR)/$(CA_BUNDLE)"; \
+	fi; \
+	export PATH="$(MOLECULE_PATH)"; \
+	$(VENV)/bin/molecule converge --scenario-name $(or $(SCENARIO),ubuntu22)
+
+molecule-destroy: molecule-env
+	@if [ -n "$(EXTRA_CA_BUNDLE)" ] && [ -f $(CA_BUNDLE) ] && [ -s $(CA_BUNDLE) ]; then \
+		export SSL_CERT_FILE="$(CURDIR)/$(CA_BUNDLE)" REQUESTS_CA_BUNDLE="$(CURDIR)/$(CA_BUNDLE)"; \
+	fi; \
+	export PATH="$(MOLECULE_PATH)"; \
+	$(VENV)/bin/molecule destroy --scenario-name $(or $(SCENARIO),ubuntu22)

README.md

@@ -10,7 +10,6 @@ Ansible playbooks to deploy [StackStorm](https://github.com/stackstorm/st2).
 
 ## Supported platforms
 
-* Ubuntu Bionic (18.04)
 * Ubuntu Focal (20.04)
 * Ubuntu Jammy (22.04)
 * RHEL7 / CentOS7
@@ -101,7 +100,6 @@ There are a few requirements when developing on `ansible-st2`.
 
 These are the platforms we must support (must pass end-to-end testing):
 
-* Ubuntu Bionic
 * Ubuntu Focal
 * Ubuntu Jammy
 * CentOS7
@@ -111,7 +109,27 @@ These are the platforms we must support (must pass end-to-end testing):
 
 Must also support Ansible Idempotence (Eg. Ansible-playbook re-run should end with the following results: `changed=0.*failed=0`)
 
-For development purposes there is [Vagrantfile](Vagrantfile) available. The following command will setup ubuntu18 box (`ubuntu/bionic64`) by default:
+### Molecule (E2E) tests
+
+To run the same E2E tests as CI locally (Python 3.11+, ansible-core 2.18.12, molecule 3.6.1):
+
+```sh
+make molecule-env    # one-time: create .venv-ci and install deps
+make molecule-test   # run full test (default: ubuntu22)
+```
+
+Override the scenario: `make molecule-test SCENARIO=ubuntu20`. The project uses [asdf](https://asdf-vm.com/) `.tool-versions` for Python 3.11; if you use asdf, run `asdf install` in the repo first.
+
+**Internal CA (e.g. Artifactory):** If pip or Ansible must trust an internal CA, pass your PEM file so the Makefile builds a combined bundle (system + your CA) and uses it for SSL:
+
+```sh
+make molecule-env EXTRA_CA_BUNDLE=~/SammyCA.pem
+make molecule-test EXTRA_CA_BUNDLE=~/SammyCA.pem
+```
+
+You only need `EXTRA_CA_BUNDLE` on the same invocations where SSL is used (env creation and any molecule run that talks to internal hosts).
+
+For development purposes there is [Vagrantfile](Vagrantfile) available. The following command will setup ubuntu22 box (`ubuntu/jammy64`) by default:
 
 ```sh
 vagrant up
@@ -121,7 +139,6 @@ Other distros:
 
 ```sh
 vagrant up ubuntu20
-vagrant up ubuntu22
 vagrant up centos7
 vagrant up rockylinux8
 ```
@@ -134,8 +151,8 @@ You might be interested in other methods to deploy StackStorm engine:
   * [Puppet Module](https://github.com/stackstorm/puppet-st2)
 
 * Manual Instructions
-  * [Ubuntu 18.04](https://docs.stackstorm.com/install/u18.html)
   * [Ubuntu 20.04](https://docs.stackstorm.com/install/u20.html)
+  * [Ubuntu 22.04](https://docs.stackstorm.com/install/u22.html)
   * [RHEL8/RockyLinux8](https://docs.stackstorm.com/install/rhel8.html)
   * [RHEL7/CentOS7](https://docs.stackstorm.com/install/rhel7.html)
 

molecule/ubuntu22/Dockerfile.ubuntu22.j2

@@ -0,0 +1,5 @@
+FROM stackstorm/packagingtest:jammy-systemd
+
+RUN set -eu \
+  && useradd --create-home --user-group {{ item.username }} \
+  && echo "{{ item.username }} ALL=(ALL) NOPASSWD: ALL" >/etc/sudoers.d/{{ item.username }}

molecule/ubuntu22/molecule.yml

@@ -0,0 +1,62 @@
+---
+dependency:
+  name: galaxy
+
+driver:
+  name: docker
+
+platforms:
+  - name: ubuntu-22.04
+    groups: [test]
+    pre_build_image: false
+    image: stackstorm/packagingtest:jammy-systemd
+    dockerfile: Dockerfile.ubuntu22.j2
+    privileged: true
+    command: /sbin/init
+    # /tmp left off tmpfs to avoid remote_tmp mkdir/echo issues in container
+    tmpfs: [/run]
+    volumes: [/sys/fs/cgroup:/sys/fs/cgroup:rw]
+    cgroupns_mode: host
+    username: molecule
+
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: ../../roles
+  playbooks:
+    converge: ../../stackstorm.yml
+  inventory:
+    group_vars:
+      test:
+        ansible_user: molecule
+        st2_auth_username: testu
+        st2_auth_password: testp
+        st2chatops_hubot_adapter: slack
+        st2chatops_config:
+          HUBOT_SLACK_TOKEN: "{{ lookup('ansible.builtin.env', 'HUBOT_SLACK_TOKEN') }}"
+        st2_rbac_enable: true
+
+verifier:
+  name: ansible
+
+scenario:
+  create_sequence:
+    - create
+  check_sequence:
+    - destroy
+    - create
+    - converge
+    - check
+    - destroy
+  converge_sequence:
+    - create
+    - converge
+  destroy_sequence:
+    - destroy
+  test_sequence:
+    - destroy
+    - syntax
+    - create
+    - converge
+    - idempotence
+    - destroy

requirements-ci.txt

@@ -0,0 +1,7 @@
+# Match .github/workflows/e2e.yaml (ansible-core 2.18.12, Python 3.11+)
+# ansible-compat 3+ renamed runtime.exec -> run; molecule 3.6.1 needs .exec
+requests<=2.29.0
+ansible-compat>=2.2.0,<3
+ansible-core==2.18.12
+molecule==3.6.1
+molecule-docker==1.1.0

test/requirements.yml

@@ -0,0 +1,11 @@
+---
+collections:
+  - name: ansible.posix
+    version: 1.4.0
+  - name: community.docker
+    version: 3.2.1
+  - name: community.general
+    version: 6.0.1
+  - name: community.rabbitmq
+    version: 1.2.3
+roles: []