Refactor image publishing and PR validation workflows

.github/workflows/build_push_image.yml

@@ -0,0 +1,121 @@
+---
+# See https://github.com/cloin/ee-builds
+
+name: Build and push Execution Environment image to Packages
+
+on:
+  workflow_call:
+    inputs:
+      BRANCH:
+        description: 'Upstream collections branch'
+        required: true
+        type: string
+      PROFILE:
+        description: 'Execution profile'
+        required: true
+        type: string
+    outputs:
+      image-paths:
+        description: 'all the constructed and pushed image paths'
+        value: ${{ jobs.build-push.outputs.registry-paths }}
+      image-sha:
+        description: 'the SHA tagged image path'
+        value: ghcr.io/${{ github.repository }}:sha-${{ jobs.build-push.outputs.sha-short }}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-push:
+    runs-on: ubuntu-latest
+    outputs:
+      sha-short: ${{ steps.sha.outputs.sha-short }}
+      registry-paths: ${{ steps.push-image.outputs.registry-paths }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Install ansible-builder
+        run: pip install ansible-builder==1.2.0
+
+      - name: Construct image metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+          flavor: |
+            latest=auto
+            prefix=${{ inputs.PROFILE }}-,onlatest=true
+          tags: |
+            type=sha,prefix=${{ inputs.PROFILE }}-sha-
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Construct short SHA
+        id: sha
+        run: echo "sha-short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+
+      - name: Set up context
+        run: |
+          mkdir -p ${{ inputs.PROFILE }}
+          cp -R builder/${{ inputs.BRANCH }}/* ${{ inputs.PROFILE }}
+          cp builder/ee-${{ inputs.PROFILE }}.yml ${{ inputs.PROFILE }}/execution-environment.yml
+          cp -R builder/env builder/inventory builder/repo builder/bashrc ${{ inputs.PROFILE }}
+
+      - name: Create Containerfile
+        run: |
+          ansible-builder create --context ${{ inputs.PROFILE }} --file ${{ inputs.PROFILE }}/execution-environment.yml
+
+      - name: Build image from context
+        uses: redhat-actions/buildah-build@v2
+        with:
+          context: ${{ inputs.PROFILE }}
+          image: ${{ github.repository }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          containerfiles: |
+            ${{ inputs.PROFILE }}/Containerfile
+
+      - name: Push image
+        id: push-image
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          tags: ${{ steps.meta.outputs.tags }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Print summary
+        working-directory: ${{ inputs.PROFILE }}
+        run: |
+          echo "## :rocket: Usage" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Image pushed to repository: [${{ steps.push-image.outputs.registry-path }}](https://${{ steps.push-image.outputs.registry-path }})" >> $GITHUB_STEP_SUMMARY
+          echo "> \`podman pull ${{ steps.push-image.outputs.registry-path }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "## :pushpin: Ansible info:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "`podman run ${{ steps.push-image.outputs.registry-path }} ansible --version`" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "## :pushpin: Installed Python libraries:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "`podman run ${{ steps.push-image.outputs.registry-path }} pip freeze | sort`" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "## :pushpin: Installed collections:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "`podman run ${{ steps.push-image.outputs.registry-path }} ansible-galaxy collection list`" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "## :pushpin: Installed roles:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "`podman run ${{ steps.push-image.outputs.registry-path }} ansible-galaxy role list`" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "## :pushpin: Containerfile:" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "`cat Containerfile`" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY

.github/workflows/label_pr.yml

@@ -0,0 +1,54 @@
+---
+# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
+name: Label validated Pull Request
+
+on:
+  workflow_run:
+    workflows: ["Validate Pull Request"]
+    types:
+      - completed
+
+jobs:
+  label:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: Download the PR number artifact
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr_number"
+            })[0];
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            let fs = require('fs');
+            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr_number.zip`, Buffer.from(download.data));
+
+      - name: 'Unzip artifact'
+        run: unzip pr_number.zip
+
+      - name: Read the PR number
+        id: read
+        run: echo "pr_number=$(cat pr_number)" >> $GITHUB_OUTPUT
+
+      - name: Label the PR
+        uses: actions-ecosystem/action-add-labels@v1
+        with:
+          labels: validated
+          number: ${{ steps.read.outputs.pr_number }}

.github/workflows/publish_image.yml

@@ -0,0 +1,28 @@
+---
+
+name: Publish a single Execution Environment image
+
+on:
+  workflow_dispatch:
+    inputs:
+      BRANCH:
+        description: 'Upstream collections branch'
+        default: 'main'
+        required: false
+        type: string
+      PROFILE:
+        description: 'Execution profile'
+        default: 'base'
+        required: false
+        type: string
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  publish:
+    uses: ./.github/workflows/build_push_image.yml
+    with:
+      BRANCH: ${{ inputs.BRANCH }}
+      PROFILE: ${{ inputs.PROFILE }}

.github/workflows/publish_images.yml

@@ -0,0 +1,22 @@
+---
+
+name: Publish Execution Environment images
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  publish:
+    uses: ./.github/workflows/build_push_image.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        ee_profile: ["full", "base", "aws", "azure", "gcp"]
+    with:
+      BRANCH: main
+      PROFILE: ${{ matrix.ee_profile }}

.github/workflows/reset_pr.yml

@@ -0,0 +1,26 @@
+---
+
+name: Reset Pull Request validation label
+
+on:
+  pull_request_target:
+    types:
+      - reopened
+      - synchronize
+      - ready_for_review
+    branches:
+      - 'release/**'
+      - 'devel'
+      - 'devel-pvc-base'
+
+jobs:
+  reset:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Reset the PR label
+        uses: actions-ecosystem/action-remove-labels@v1
+        with:
+          labels: validated