validatedpatterns · mbaldessari · Feb 16, 2026 · Jan 19, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -6,3 +6,5 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml
@@ -10,11 +10,11 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
       - name: Lint Ansible Playbook
-        uses: ansible/ansible-lint@43e758bad47344f1ce7b699c0020299f486a8026
+        uses: ansible/ansible-lint@7f6abc5ef97d0fb043a0f3d416dfbc74399fbda0
         with:
           setup_python: "true"
diff --git a/.github/workflows/ansible-sanitytest.yml b/.github/workflows/ansible-sanitytest.yml
@@ -16,13 +16,13 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: ansible_collections/rhvp/cluster_utils
           persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}
 

diff --git a/.github/workflows/ansible-unittest.yml b/.github/workflows/ansible-unittest.yml
@@ -16,13 +16,13 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: ansible_collections/rhvp/cluster_utils
           persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}
 

diff --git a/.github/workflows/jsonschema.yaml b/.github/workflows/jsonschema.yaml
@@ -15,12 +15,12 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}
 

diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml
@@ -12,7 +12,7 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
@@ -22,7 +22,7 @@ jobs:
       # Run Linter against code base #
       ################################
       - name: Lint Code Base
-        uses: super-linter/super-linter/slim@2bdd90ed3262e023ac84bf8fe35dc480721fc1f2
+        uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
         env:
           VALIDATE_ALL_CODEBASE: true
           DEFAULT_BRANCH: main
@@ -36,6 +36,7 @@ jobs:
           VALIDATE_JSON_PRETTIER: false
           VALIDATE_MARKDOWN_PRETTIER: false
           VALIDATE_KUBERNETES_KUBECONFORM: false
+          VALIDATE_PYTHON_BLACK: false
           VALIDATE_PYTHON_PYLINT: false
           VALIDATE_PYTHON_PYINK: false
           VALIDATE_PYTHON_RUFF_FORMAT: false

diff --git a/.github/workflows/trigger-utility-imperative-container-builds.yml b/.github/workflows/trigger-utility-imperative-container-builds.yml
@@ -13,7 +13,7 @@ jobs:
     steps:
       - name: Generate GitHub App token
         id: generate-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_WORKFLOW_AUTOMATION_CLIENT_ID }}
           private-key: ${{ secrets.GH_WORKFLOW_AUTOMATION_PRIVATE_KEY }}

diff --git a/playbooks/argo_healthcheck.yml b/playbooks/argo_healthcheck.yml
@@ -3,6 +3,6 @@
   hosts: localhost
   connection: local
   gather_facts: false
-  roles:
-    - role: oc_check
-    - role: argo_healthcheck
+  tasks:
+    - name: Check health of argo applications
+      ansible.builtin.include_tasks: tasks/check_argo_health.yml
diff --git a/playbooks/display_secrets_info.yml b/playbooks/display_secrets_info.yml
@@ -27,7 +27,7 @@
     # This will allow us to determine schema version and which backend to use
     - name: Determine how to load secrets
       ansible.builtin.set_fact:
-        secrets_yaml: '{{ values_secrets_data | from_yaml }}'
+        secrets_yaml: "{{ values_secrets_data if values_secrets_data is not string else values_secrets_data | from_yaml }}"
 
     - name: Parse secrets data
       no_log: '{{ hide_sensitive_output }}'

diff --git a/playbooks/install.yml b/playbooks/install.yml
@@ -2,7 +2,7 @@
 - name: Install the pattern via pattern-install chart
   ansible.builtin.import_playbook: operator_deploy.yml
 
-- name: Load secrets (if not explicity disabled in values-global.yaml)
+- name: Load secrets (if not explicitly disabled in values-global.yaml)
   ansible.builtin.import_playbook: load_secrets.yml
 
 - name: Wait for pattern to finish installation (all Argo apps should be healthy/synced)
@@ -11,18 +11,14 @@
   gather_facts: false
 
   vars:
-    max_retries: 30
+    max_retries: 60
     retry_count: 0
     retry_delay: 60
 
   tasks:
     - name: Print start message
-      ansible.builtin.shell: |
-        printf "==> Waiting for all argo applications to be healthy/synced.\n" > /dev/tty
-
-    - name: Ensure oc is installed
-      ansible.builtin.include_role:
-        name: oc_check
+      ansible.builtin.debug:
+        msg: "Waiting for all argo applications to be healthy/synced."
 
     - name: Wait for all Argo applications to be healthy and synced with retry logic
       ansible.builtin.include_tasks: tasks/retry_argo_healthcheck.yml
diff --git a/playbooks/load_secrets.yml b/playbooks/load_secrets.yml
@@ -7,22 +7,17 @@
     - role: pattern_settings
 
   tasks:
-    - name: Check values-global to see if secret loading is explicity disabled
+    - name: Check values-global to see if secret loading is explicitly disabled
       ansible.builtin.set_fact:
         secret_loader_disabled: "{{ values_global.global.secretLoader.disabled | default(false) | bool }}"
 
     - name: Load secrets (when enabled)
+      ansible.builtin.include_role:
+        name: load_secrets
       when: not secret_loader_disabled
-      block:
-        - name: Announce secrets loading
-          ansible.builtin.shell: |
-            printf "==> Loading secrets (this may take several minutes)...\n" > /dev/tty
-
-        - name: Process secrets via role
-          ansible.builtin.include_role:
-            name: load_secrets
 
     - name: Print secret loading disabled message
-      ansible.builtin.shell: |
-        printf "==> Secrets loading is currently disabled. To enable, update the value of .global.secretLoader.disabled in your values-global.yaml to false.\n" > /dev/tty
+      ansible.builtin.debug:
+        msg: |
+          Secrets loading is currently disabled. To enable, update the value of ''.global.secretLoader.disabled' in 'values-global.yaml' to 'false'.
       when: secret_loader_disabled
diff --git a/playbooks/operator_deploy.yml b/playbooks/operator_deploy.yml
@@ -7,7 +7,7 @@
   roles:
     - role: pattern_settings # set general pattern vars
     - role: install_settings # set pattern-install specific vars
-    - role: validate_prereq # ensure installation depencies are present
+    - role: validate_prereq # ensure installation dependencies are present
     - role: validate_cluster # ensure a cluster is connected and has a default storage class
     - role: pattern_install_template # render the pattern-install helm chart
 
@@ -18,10 +18,9 @@
           ansible.builtin.set_fact:
             disable_validate_origin: >-
               {{
-                (
-                  disable_validate_origin
-                  | default(lookup('env', 'DISABLE_VALIDATE_ORIGIN'), true)
-                  | default('false', false)
+                disable_validate_origin | default(
+                  lookup('env', 'DISABLE_VALIDATE_ORIGIN') or 'false',
+                  true
                 ) | bool
               }}
 
@@ -30,29 +29,25 @@
             name: validate_origin
           when: not disable_validate_origin
 
-    - name: Apply rendered pattern-install chart manifests (with retry)
+    - name: Apply rendered pattern-install chart manifests
       block:
-        - name: Preview manifest that will be applied
-          ansible.builtin.shell: |
-            printf "==> Applying the following manifest to the cluster:\n\n" > /dev/tty
-            printf "%s\n" "{{ pattern_install_rendered_yaml }}" > /dev/tty
-
-        - name: Apply via oc with retry
-          ansible.builtin.command: oc apply -f -
-          args:
-            stdin: "{{ pattern_install_rendered_yaml }}"
-            stdin_add_newline: false
+        - name: Apply manifests via native k8s module
+          kubernetes.core.k8s:
+            definition: "{{ pattern_install_rendered_yaml }}"
+            state: present
           register: _apply
           retries: 10
           delay: 15
-          until: _apply.rc == 0
+          until: not _apply.failed
 
         - name: Print success message
-          ansible.builtin.shell: printf "==> Installation succeeded!\n" > /dev/tty
+          ansible.builtin.debug:
+            msg: |
+              Installation of {{ pattern_name }} succeeded!
 
       rescue:
-        - name: Print failure summary and abort
-          ansible.builtin.shell: |
-            printf "==> Installation failed. Error:\n" > /dev/tty
-            printf "%s\n" "{{ _apply.stderr | default(_apply.stdout) | default('') }}" > /dev/tty
-            exit 1
+        - name: Print failure summary
+          ansible.builtin.fail:
+            msg: |
+              Failed to install pattern after 10 retries.
+              Error: {{ _apply.error | default(_apply.msg) | default('Unknown error') }}
diff --git a/playbooks/process_secrets.yml b/playbooks/process_secrets.yml
@@ -21,7 +21,7 @@
     # This will allow us to determine schema version and which backend to use
     - name: Determine how to load secrets
       ansible.builtin.set_fact:
-        secrets_yaml: '{{ values_secrets_data | from_yaml }}'
+        secrets_yaml: "{{ values_secrets_data if values_secrets_data is not string else values_secrets_data | from_yaml }}"
 
     - name: Parse secrets data
       no_log: '{{ hide_sensitive_output | default(true) }}'

diff --git a/playbooks/show.yml b/playbooks/show.yml
@@ -3,12 +3,16 @@
   hosts: localhost
   connection: local
   gather_facts: false
+  vars:
+    include_crds: false
+
   roles:
     - role: pattern_settings # set general pattern vars
     - role: install_settings # set pattern-install specific vars
     - role: pattern_install_template # render the pattern-install helm chart
 
   tasks:
-    - name: Print rendered pattern-install chart manifests
-      ansible.builtin.shell: |
-        printf "\n%s\n" "{{ pattern_install_rendered_yaml }}" > /dev/tty
+    - name: Print rendered pattern-install chart
+      ansible.builtin.debug:
+        msg: |
+         {{ pattern_install_rendered_yaml }}
diff --git a/playbooks/tasks/check_argo_health.yml b/playbooks/tasks/check_argo_health.yml
@@ -1,62 +1,37 @@
 ---
-- name: Get all Argo CD applications as JSON
-  ansible.builtin.command: oc get applications.argoproj.io -A -o json
-  register: apps_raw
-  changed_when: false
+- name: Get all Argo CD applications
+  kubernetes.core.k8s_info:
+    api_version: argoproj.io/v1alpha1
+    kind: Application
+  register: argo_apps
 
-- name: Extract and analyze applications
+- name: Process Application Statuses
   ansible.builtin.set_fact:
-    apps_items: >-
-      {{
-        (apps_raw.stdout | default('{}'))
-        | from_json
-        | json_query('items')
-        | default([])
-      }}
-
-- name: Reset applications summary
-  ansible.builtin.set_fact:
-    apps_summary: []
-
-- name: Build applications summary
-  ansible.builtin.set_fact:
-    apps_summary: >-
-      {{ apps_summary + [
-          {
-            'namespace': (item.metadata.namespace | default('')),
-            'name': (item.metadata.name | default('')),
-            'sync': (item.status.sync.status | default('')),
-            'health': (item.status.health.status | default('')),
-            'bad': ((item.status.sync.status | default('')) != 'Synced')
-                   or ((item.status.health.status | default('')) != 'Healthy')
-          }
-        ]
-      }}
-  loop: "{{ apps_items }}"
-  loop_control:
-    label: "{{ item.metadata.namespace }}:{{ item.metadata.name }}"
-
-- name: Filter unhealthy or unsynced applications
-  ansible.builtin.set_fact:
-    unhealthy_apps: "{{ apps_summary | default([]) | selectattr('bad') | list }}"
-
-- name: Print unhealthy/unsynced applications to /dev/tty
-  when: unhealthy_apps | length > 0
-  ansible.builtin.shell:
-    cmd: |
-      printf "==> Unhealthy or unsynced applications:\n" > /dev/tty
-      {% for app in unhealthy_apps %}
-      printf "    {{ app.namespace }}/{{ app.name }} -> Sync: {{ app.sync }} - Health: {{ app.health }}\n" > /dev/tty
+    apps_summary: "{{ (summary_yaml | from_yaml) | default([], true) }}"
+  vars:
+    summary_yaml: |
+      {% for item in argo_apps.resources -%}
+      - namespace: {{ item.metadata.namespace }}
+        name: {{ item.metadata.name }}
+        sync: {{ item.status.sync.status | default('Unknown') }}
+        health: {{ item.status.health.status | default('Unknown') }}
+        bad: {{ (item.status.sync.status | default('Unknown') != 'Synced' or item.status.health.status | default('Unknown') != 'Healthy') | lower }}
       {% endfor %}
-      printf "==> Retrying in 60 seconds...\n" > /dev/tty
 
-- name: Fail if any applications are not healthy/synced
-  when: unhealthy_apps | length > 0
-  ansible.builtin.fail:
-    msg: "{{ unhealthy_apps | length }} application(s) are not healthy/synced"
-
-- name: Print success message
-  when: unhealthy_apps | length == 0
-  ansible.builtin.shell:
-    cmd: |
-      printf "==> All {{ apps_summary | length }} Argo applications are healthy and synced.\n" > /dev/tty
+- name: Validate Cluster Health
+  vars:
+    bad_apps: "{{ apps_summary | selectattr('bad') | list }}"
+  ansible.builtin.assert:
+    that:
+      - apps_summary | length > 0
+      - bad_apps | length == 0
+    fail_msg: |
+      {% if apps_summary | length == 0 %}
+      No ArgoCD applications found in the cluster.
+      {% else %}
+      The following ArgoCD applications are out-of-sync or unhealthy:
+      {% for app in bad_apps %}
+      - {{ app.namespace }}/{{ app.name }} (Sync: {{ app.sync }}, Health: {{ app.health }})
+      {% endfor %}
+      {% endif %}
+    quiet: true