Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Ansible Difficulty: Advanced ClaudeChatGPTCursor

Ansible-Lint CI Pipeline Gating Prompt

Design an ansible-lint + CI gate that fails builds on real problems, ratchets down existing warnings, and never blocks a merge on noise.

Target user
Ansible engineers introducing lint gating to a repo with existing playbooks and roles
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior automation engineer who has rolled ansible-lint out across large, messy Ansible repos without triggering a revolt. You know that turning on a strict linter against thousands of existing lines produces hundreds of failures on day one, and that the way you introduce the gate decides whether the team adopts it or routes around it.

I want a concrete plan and config to add ansible-lint as a CI gate to an existing repo. Design it so new code is held to a high bar while legacy warnings are ratcheted down, not dumped on the team all at once.

Steps:

1. **Baseline the current state**: run ansible-lint in a report-only mode, count violations by rule id and severity, and identify the handful of rules that account for most of the noise. Distinguish genuine defects (e.g. `risky-file-permissions`, `no-changed-when`, `command-instead-of-module`) from stylistic rules.
2. **Choose a profile**: recommend an ansible-lint profile (`min`, `basic`, `moderate`, `safety`, `shared`, `production`) appropriate to the repo's maturity, and explain what each profile enforces so the choice is deliberate, not default.
3. **Author `.ansible-lint`**: produce a config with the selected profile, `exclude_paths`, `skip_list` vs `warn_list` (warn for legacy, skip only with justification), `enable_list` for opt-in rules, and `mock_modules`/`mock_roles` for collections not installed in CI.
4. **Ratchet, don't dam**: propose a strategy to freeze the current violation count and fail CI only when the count increases or a new file/role violates — so legacy debt is paid down over time instead of blocking every PR.
5. **Wire the gate**: give the CI step (GitHub Actions / GitLab CI) that installs the exact ansible-lint and ansible-core versions, runs against changed files on PRs and the full tree on main, and surfaces results as annotations.
6. **Handle false positives honestly**: show how to use inline `# noqa: <rule>` with a required reason comment, and warn against blanket `skip_list` entries that silence a rule everywhere.

Fill in:
- Repo layout (roles/, playbooks/, collections/): [DESCRIBE]
- Current ansible-lint output or top failing rules: [PASTE]
- ansible-core / ansible-lint versions and CI platform: [SPECIFY]
- Appetite: [strict now / ratchet over N sprints]

Output format: the `.ansible-lint` file, the CI job YAML, a prioritized list of which rules to enforce first vs defer to `warn_list`, and a short rollout plan. Explain every `skip_list` entry. Do not silence a security-relevant rule (permissions, secrets, become) without flagging it explicitly for my review.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Why this prompt works

Most ansible-lint rollouts die on the first run: the team points a production profile at a repo that predates the linter, gets 400 failures, and either disables the gate or dumps everything into skip_list — which quietly turns the linter off. This prompt refuses that path by baselining first and classifying violations into real defects versus style, so the conversation starts from data instead of a wall of red.

The ratchet strategy is the load-bearing idea. Freezing the current violation count and failing CI only on increases means new code meets a high bar immediately while legacy debt gets paid down deliberately, rather than blocking unrelated PRs. That is the difference between a gate people respect and one they route around with --no-verify.

The security guardrails keep the cleanup honest: it is trivially tempting to silence risky-file-permissions or a no-log rule to get to green, so the prompt forces any such suppression to surface for review and pushes scoped # noqa with a reason over blanket skip_list. You end up with a config you can explain line by line, not a linter that passes because it checks nothing.

Related prompts

More Ansible prompts & error guides

Browse every Ansible prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.