refactor(ci): merge KVM molecule runner into a driver input

[sbaerlocher]

Summary

ci-ansible-molecule.yml and ci-ansible-molecule-kvm.yml were ~85% identical
(same discovery job, checkout, python setup, dependency install, summary). Only
the QEMU/KVM apt setup and the sg kvm wrapper differed.

• Add a driver input to ci-ansible-molecule.yml: docker (default) or qemu.
• QEMU/KVM setup step gated on driver == 'qemu'; run step wraps molecule in
  sg kvm only then. A validation step rejects any other value.
• Remove ci-ansible-molecule-kvm.yml.
• Net -226/+72; the discovery job no longer maintained in two files.

Migration

Callers of the -kvm reusable switch to ci-ansible-molecule.yml with
driver: qemu. Only open chore branches reference it today — no main caller.

Test plan

• CI green (claude-review, lint)
• driver: docker path unchanged from before

[claude]

Solid refactor — collapsing the ~85% duplication into a single driver input is the right call, the validation fails fast in the discover job, and the qemu setup/sg kvm wrapper are correctly gated. Two minor points to address:

• CHANGELOG: the ## 2026-06-17 section both adds and removes ci-ansible-molecule-kvm.yml in the same deployed-to-main window. Since it never effectively shipped, fold this into the Changed: ci-ansible-molecule.yml entry rather than leaving a self-contradicting Added/Removed pair.
• /dev/kvm probe (carried over from the deleted file): under set -e the test -e /dev/kvm && ls -l line hard-fails the step if KVM is absent, contradicting the comment's "falls back to TCG otherwise." Align the code with the intended behavior.

Neither is a functional blocker on GitHub-hosted runners; happy to approve once the CHANGELOG is tidied.

[claude]

No changes have been pushed since the last review — both issues remain open:

1. CHANGELOG.md — same-day add-and-remove of ci-ansible-molecule-kvm.yml creates a self-contradicting audit trail. Collapse the Added/Removed entries and fold the QEMU rationale into the existing Changed: ci-ansible-molecule.yml entry.
2. ci-ansible-molecule.yml line 199 — test -e /dev/kvm && ls -l /dev/kvm hard-fails under set -euo pipefail when /dev/kvm is absent, contradicting the comment that describes a TCG fallback. Either make the probe non-fatal or update the comment to state that a missing KVM device is an intentional failure.

[claude]

The /dev/kvm probe fix in ci-ansible-molecule.yml looks correct — thank you. One issue remains: CHANGELOG.md still has a same-day ### Added entry for ci-ansible-molecule-kvm.yml followed by a ### Removed entry for the same file under the same ## 2026-06-17 heading. Please collapse both into a single ### Changed note (or remove the transient ### Added entry) before merging.

[claude]

The CHANGELOG.md issue remains unresolved: the ## 2026-06-17 section still both adds and removes ci-ansible-molecule-kvm.yml in the same day, creating a self-contradicting audit trail. The workflow KVM probe fix was confirmed resolved in the previous round. Please collapse the transient ### Added/### Removed entries for ci-ansible-molecule-kvm.yml before merging.

[claude]

The workflow file issue (KVM probe hard-fail) was resolved in a previous round. One issue remains: CHANGELOG.md still contains a self-contradicting same-day add-and-remove of ci-ansible-molecule-kvm.yml under the single ## 2026-06-17 heading — please collapse or remove the transient entries before merging.