From 98f8d42343d32c151640f9e70e5007c4b14d5961 Mon Sep 17 00:00:00 2001
From: Rasmus Wejlgaard <pez@pez.sh>
Date: Fri, 3 Apr 2026 00:17:22 +0000
Subject: [PATCH] ci: add ansible-galaxy collection install to deploy workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both deploy-on-merge.yml and deploy.yml install ansible via pip but
never install the required Galaxy collections (community.docker,
community.general, ansible.posix) from ansible/requirements.yml.

This works by accident because the pip ansible package bundles some
collections, but it's fragile — a pip upgrade or runner image change
could break deploys silently.

Fixes PESO-110
---
 .github/workflows/deploy-on-merge.yml | 3 +++
 .github/workflows/deploy.yml          | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/deploy-on-merge.yml b/.github/workflows/deploy-on-merge.yml
index c759817..ad14d87 100644
--- a/.github/workflows/deploy-on-merge.yml
+++ b/.github/workflows/deploy-on-merge.yml
@@ -38,6 +38,9 @@ jobs:
           wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
           sudo dpkg -i /tmp/sops.deb
 
+      - name: Install Ansible collections
+        run: ansible-galaxy install -r ansible/requirements.yml
+
       - name: Decrypt secrets
         env:
           SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index f35a07b..3c25ce4 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -48,6 +48,9 @@ jobs:
           wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
           sudo dpkg -i /tmp/sops.deb
 
+      - name: Install Ansible collections
+        run: ansible-galaxy install -r ansible/requirements.yml
+
       - name: Decrypt secrets
         env:
           SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}