Skip to content

ci: introduce Ansible CI (#585) #1350

ci: introduce Ansible CI (#585)

ci: introduce Ansible CI (#585) #1350

Workflow file for this run

name: CI
on:
push:
branches:
pull_request:
#schedule:
# - cron: '0 6 * * *'
env:
NAMESPACE: paloaltonetworks
COLLECTION_NAME: panos
jobs:
## Sanity is required:
#
# https://docs.ansible.com/ansible/latest/dev_guide/testing_sanity.html
sanity:
name: Sanity (Ⓐ${{ matrix.ansible }})
strategy:
matrix:
include:
- ansible: "2.15"
python_ver: "3.11"
- ansible: "2.16"
python_ver: "3.11"
- ansible: "2.17"
python_ver: "3.11"
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
steps:
- uses: actions/checkout@v4
with:
path: ./ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python_ver }}
- name: Install Poetry
uses: Gr1N/setup-poetry@v8
#with:
# poetry-version: 1.0.10
# Install the head of the given branch (devel, stable-2.10)
- name: Install ansible-base (${{ matrix.ansible }})
run: poetry run pip install https://github.com/ansible/ansible/archive/stable-${{ matrix.ansible }}.tar.gz --disable-pip-version-check
- name: Create lock file
run: poetry lock
#- name: Cache poetry dependencies
# uses: actions/cache@v2
# with:
# #path: ~/.cache/pypoetry/virtualenvs
# #key: ${{ runner.os }}-poetry-${{ hashFiles('poetry.lock') }}
# ##restore-keys: |
# ## ${{ runner.os }}-poetry-${{ matrix.python-version }}-
# path: ${{ steps.poetry-cache.outputs.dir }}
# key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }}
# restore-keys: |
# ${{ runner.os }}-poetry-
- name: Install dependencies
run: poetry install
- name: Run sanity tests
timeout-minutes: 8
run: poetry run make new-sanity
# Ansible-lint is a requirement for certification, and was added to the
# certification pipeline 20 June 2023 per Ansible Partner Engineering
# communication emails
#
# Config file is .ansible-lint
lint:
name: Ansible Lint
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run ansible-lint
uses: ansible/ansible-lint@main
# Tox is used to execute linters required for Event-Driven Ansible (EDA) code:
# github.com/ansible/eda-partner-testing/blob/main/README.md
# Tox should only execute over <root>/extensions/eda/plugins.
# Tox utilises the tox.ini file found in the local directory.
# This action is taken from Ansible Partner Engineering's example:
# github.com/ansible/eda-partner-testing/blob/main/.github/workflows/tox.yml
# Tox is planned by Ansible Partner Engineering to cover other code in future.
tox:
name: Tox Checks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install deps
run: python -m pip install tox
- name: Move to tox conf file and run tox
run: |
cd .github/workflows
python -m tox -- ../..
pyversion:
name: Discover minimum Python version
uses: ./.github/workflows/_discover_python_ver.yml
format:
name: Code Format Check
runs-on: ubuntu-latest
needs: pyversion
defaults:
run:
working-directory: ./ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
steps:
- uses: actions/checkout@v4
with:
path: ./ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: ${{ needs.pyversion.outputs.pyversion }}
- name: Install Poetry
uses: Gr1N/setup-poetry@v8
- name: Install dependencies
run: poetry install
- name: Do black code format check
run: poetry run make check-format
release:
name: release
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs: [sanity, tox, lint, format]
runs-on: ubuntu-latest
outputs:
new_release_published: ${{ steps.release.outputs.new_release_published }}
new_release_version: ${{ steps.release.outputs.new_release_version }}
new_release_git_tag: ${{ steps.release.outputs.new_release_git_tag }}
steps:
- name: Checkout
uses: actions/checkout@v4
# This task could be removed once the task below is confirmed working
- name: Set up Galaxy auth
run: |
mkdir -p ~/.ansible
echo "token: $GALAXY_API_KEY" > ~/.ansible/galaxy_token
env:
GALAXY_API_KEY: ${{ secrets.GALAXY_API_KEY }}
shell: bash
# New task for combined Galaxy and AutomationHub publishing
- name: Set up Automation Hub and Galaxy ansible.cfg file
run: |
cat << EOF > ansible.cfg
[galaxy]
server_list = automation_hub, release_galaxy
[galaxy_server.automation_hub]
url=${{ secrets.AUTOMATION_HUB_URL }}
auth_url=${{ secrets.AUTOMATION_HUB_SSO_URL }}
token=${{ secrets.AUTOMATION_HUB_API_TOKEN }}
[galaxy_server.release_galaxy]
url=https://galaxy.ansible.com/
token=${{ secrets.GALAXY_API_KEY }}
EOF
shell: bash
- name: Create release and publish
id: release
uses: cycjimmy/semantic-release-action@v4
with:
semantic_version: 17.1.1
extra_plugins: |
conventional-changelog-conventionalcommits@^4.4.0
@semantic-release/changelog@^5.0.1
@semantic-release/git@^9.0.0
@semantic-release/exec@^5.0.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Store built collection
uses: actions/upload-artifact@v3
with:
name: collection
path: |
*.tar.gz
docs:
name: docs
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs: [release, pyversion]
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
steps:
# Just a note here: The Ansible stuff is apparently doing realpath
# checks, so trying to simlink stuff and then run Ansible commands
# such as ansible-test in the symlink directory fails. Thus we need
# to have the real path contain ansible_collections/paloaltonetworks/panos.
- name: Checkout
uses: actions/checkout@v4
with:
path: ./ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: ${{ needs.pyversion.outputs.pyversion }}
- name: Install Poetry
uses: Gr1N/setup-poetry@v8
- name: Add ansible-core
run: poetry add ansible-core^2.15
- name: Add antsibull-docs
run: poetry add antsibull-docs^1.11.0
- name: Install dependencies
run: poetry install
- name: Build the collection
run: poetry run ansible-galaxy collection build
# - name: Download built collection
# uses: actions/download-artifact@v2
# with:
# name: collection
- name: Install built collection
run: poetry run ansible-galaxy collection install *.tar.gz
- name: Generate documentation
run: poetry run make docs
# This is here for right now because the action to deploy seems to assume
# (and not have a configuration option to) mirror the actions/checkout@v4
# the with.path spec.
- name: Move the repo to where the deploy action is looking for it
run: |
cd ../../../..
mv pan-os-ansible the_repo
mv the_repo/ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }} pan-os-ansible
mkdir -p pan-os-ansible/ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
- name: Deploy to GitHub Pages
uses: JamesIves/github-pages-deploy-action@v4.4.3
with:
token: ${{ secrets.GITHUB_TOKEN }}
branch: gh-pages
folder: docs/html
clean: true
rc:
name: Check rc EE
runs-on: ubuntu-latest
needs: [sanity, tox, lint, format]
if: (github.event_name == 'push' && github.ref == 'refs/heads/develop')
outputs:
rc: ${{ steps.rc.outputs.new_release_published }}
new_release_version: ${{ steps.rc.outputs.new_release_version }}
steps:
- name: checkout code
uses: actions/checkout@v4
- name: setup node.js
uses: actions/setup-node@v4
with:
node-version: 'lts/*'
- name: install dependencies
run: |
npm install --save-dev semantic-release
npm install @semantic-release/commit-analyzer -D
npm install conventional-changelog-conventionalcommits -D
npm install @semantic-release/changelog -D
npm install @semantic-release/git -D
npm install @semantic-release/exec -D
# npx semantic-release
# npm ci
- name: trick semantic check
id: rc
run: |
# Trick semantic-release into thinking we're not in a CI environment
OUTPUT="$(bash -c "unset GITHUB_ACTIONS && unset GITHUB_EVENT_NAME && npx semantic-release --dry-run --no-ci --branches '${GITHUB_REF#refs/heads/}'")"
# print output
echo "$OUTPUT"
# grep with semver regex - \K means to start matching from here in Perl regex
NEW_RELEASE_VERSION=$(echo "$OUTPUT" | grep -oP 'The next release version is \K(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?' || echo -n "")
echo "new_release_version=$NEW_RELEASE_VERSION" >> "$GITHUB_OUTPUT"
if [ -z "$NEW_RELEASE_VERSION" ]; then
echo "new_release_published=false" >> "$GITHUB_OUTPUT"
else
echo "new_release_published=true" >> "$GITHUB_OUTPUT"
fi
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REF: ${{ github.ref }}
# below does NOT work because semantic-release expects branch name in the config even in dry-run
# but we run rc check in non main branches
# - name: rc check
# id: rc
# uses: cycjimmy/semantic-release-action@v4
# with:
# dry_run: true
# semantic_version: 17.1.1
# extra_plugins: |
# conventional-changelog-conventionalcommits@^4.4.0
# @semantic-release/changelog@^5.0.1
# @semantic-release/git@^9.0.0
# @semantic-release/exec@^5.0.00
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
build_dev_ee:
name: dev_ee
needs: rc
if: needs.rc.outputs.rc == 'true'
uses: ./.github/workflows/ee.yml
build_prod_ee:
name: release_ee
needs: release
uses: ./.github/workflows/ee.yml
with:
release: true
release_tag: ${{ needs.release.outputs.new_release_git_tag }}