dependency step installs roles to user's roles path, not in ephemeral directory

[tierpod]

Prerequisites

• [X] This was not already reported in the past (duplicate check)
• [X] It does reproduce it with code from main branch (latest unreleased version)
• [X] I include a minimal example for reproducing the bug
• [X] The bug is not trivial, as for those a direct pull-request is preferred
• [X] Running pip check does not report any conflicts
• [X] I was able to reproduce the issue on a different machine
• [X] The issue is not specific to any driver other than 'default' one

Environment

molecule 6.0.3 using python 3.11 
    ansible:2.16.2
    azure:23.5.0 from molecule_plugins
    containers:23.5.0 from molecule_plugins requiring collections: ansible.posix>=1.3.0 community.docker>=1.9.1 containers.podman>=1.8.1
    default:6.0.3 from molecule
    docker:23.5.0 from molecule_plugins requiring collections: community.docker>=3.0.2 ansible.posix>=1.4.0
    ec2:23.5.0 from molecule_plugins
    gce:23.5.0 from molecule_plugins requiring collections: google.cloud>=1.0.2 community.crypto>=1.8.0
    podman:23.5.0 from molecule_plugins requiring collections: containers.podman>=1.7.0 ansible.posix>=1.3.0
    vagrant:23.5.0 from molecule_plugins

Fedora release 38 (Thirty Eight)

What happened

Hello. After update from molecule 4 to molecule 6 I mentioned that molecule now tries to install dependencies into user's roles directory, not in ephemeral directory. I tried to investigate this problem by running molecule in debug mode, and I couldn't see any debug messages in output (ANSIBLE_* and MOLECULE_* environment variables):

molecule --debug -v dependency

INFO     Using /home/user/.ansible/roles/ansible-role-dotnet-tools symlink to current repository in order to enable Ansible to find the role using its expected full name.

I think it can be related to this PR https://github.com/ansible/molecule/pull/4047

Reproducing example

No response

[tierpod]

molecule 5.1.0 looks OK:

molecule --debug -v dependency

INFO     Using /home/user/.cache/ansible-compat/fa9621/roles/ansible-role-dotnet-tools symlink to current repository in order to enable Ansible to find the role using its expected full name.

DEBUG: MOLECULE ENVIRONMENT:
...
MOLECULE_EPHEMERAL_DIRECTORY: /home/user/.cache/molecule/ansible-role-dotnet-tools/default
...

[isuftin]

Looks related to https://github.com/ansible/molecule/issues/4015

[isuftin]

While this issue still has not been fixed, what I've found is I am able to update the provisioner YAML in molecule.yml:

provisioner:
  name: ansible
  env:
    ANSIBLE_ROLES_PATH: $MOLECULE_EPHEMERAL_DIRECTORY/roles:${HOME}/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:$MOLECULE_PROJECT_DIRECTORY/roles

The last item in the list there $MOLECULE_PROJECT_DIRECTORY/roles adds the /roles dir in the role I'm testing to the ANSIBLE_ROLES_PATH. Because Molecule ends up installing roles into the project's /roles/ path, this allows Ansible to find the role during the run.

What's confusing is that according to Molecule's own docs @ https://ansible.readthedocs.io/projects/molecule/configuration/#molecule.provisioner.ansible.Ansible there's text that reads:

Environment variables. Molecule does its best to handle common Ansible paths. The defaults are as follows.

ANSIBLE_ROLES_PATH:
  $runtime_cache_dir/roles:$ephemeral_directory/roles/:$project_directory/../:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
ANSIBLE_LIBRARY:
  $ephemeral_directory/modules/:$project_directory/library/:~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
ANSIBLE_FILTER_PLUGINS:
  $ephemeral_directory/plugins/filter/:$project_directory/filter/plugins/:~/.ansible/plugins/filter:/usr/share/ansible/plugins/modules

However, when running Molecule without override ANSIBLE_ROLES_PATH, the default that Molecule seems to set is:

ANSIBLE_ROLES_PATH: /root/.cache/molecule/svc/aws-marketplace-rhel8-ec2/roles:/:/root/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles

I am running Molecule in a Docker container with my role project in the /svc directory.

So it would seem what Molecule is setting is $MOLECULE_EPHEMERAL_DIRECTORY/roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles

This differs from the docs in that it does not add $runtime_cache_dir/roles or $project_directory/../

I'm not even sure what $runtime_cache_dir refers to or what use $project_directory/../ would be?

In the end, instead of doing weird hacks like this, can we just go back to Molecule installing role dependencies for roles in the ~/.ansible/roles like it used to?

Edit: While I'm in here... two other things...

Installing 3rd party roles into a /roles subdirectory in your project also causes ansible-lint to lint those dependencies, which is not ideal. I end up having to ignore anything in /roles but requirements.yml in my .gitignore like:

roles/*
!roles/requirements.yml

And then ansible-lint will ignore dependencies as well as me/other devs not accidentally checking dependencies into the role project.

Second, if the role/ directory doesn't exist, Molecule will install the dependent role into the proper or ~/.ansible/roles location. But for us, as we use AWX/Ansible Tower/Ansible Automation Platform, when my role is part of a playbook, AWX will look to my role's roles/requirements.yml to pull down transitive dependencies for my role.

https://access.redhat.com/documentation/en-us/red_hat_ansible_automation_platform/2.4/html/automation_controller_user_guide/controller-projects#ref-projects-galaxy-support

afaik there's no other way to do this