PR validation workflows and ansible-builder support (#139)

wmudge · web-flow · commit 30f38e1e78ea · 2023-02-01T19:46:16.000Z
* Add PR validation workflows
* Add support for ansible-builder
* Increment collection to 1.7.3
Signed-off-by: Webster Mudge &lt;wmudge@cloudera.com&gt;
diff --git a/.github/workflows/label_pr.yml b/.github/workflows/label_pr.yml
@@ -0,0 +1,68 @@
+---
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
+name: Label validated Pull Request
+
+on:
+  workflow_run:
+    workflows: ["Validate Pull Request"]
+    types:
+      - completed
+
+jobs:
+  label:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: Download the PR number artifact
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr_number"
+            })[0];
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            let fs = require('fs');
+            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr_number.zip`, Buffer.from(download.data));
+
+      - name: 'Unzip artifact'
+        run: unzip pr_number.zip
+
+      - name: Read the PR number
+        id: read
+        run: echo "pr_number=$(cat pr_number)" >> $GITHUB_OUTPUT
+
+      - name: Label the PR
+        uses: actions-ecosystem/action-add-labels@v1
+        with:
+          labels: validated
+          number: ${{ steps.read.outputs.pr_number }}
diff --git a/.github/workflows/reset_pr.yml b/.github/workflows/reset_pr.yml
@@ -0,0 +1,39 @@
+---
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Reset Pull Request validation label
+
+on:
+  pull_request_target:
+    types:
+      - reopened
+      - synchronize
+      - ready_for_review
+    branches:
+      - 'release/**'
+      - 'devel'
+      - 'devel-pvc-base'
+
+jobs:
+  reset:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Reset the PR label
+        uses: actions-ecosystem/action-remove-labels@v1
+        with:
+          labels: validated
diff --git a/.github/workflows/validate_pr.yml b/.github/workflows/validate_pr.yml
@@ -0,0 +1,83 @@
+---
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Validate Pull Request
+
+on:
+  pull_request:
+    branches:
+      - 'release/**'
+      - 'devel'
+      - 'devel-pvc-base'
+    
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Python and caching
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+          cache: 'pip'
+      
+      - name: Set up Ansible collections
+        run: |
+          sudo update-alternatives --install /usr/bin/python python $(which python3) 1
+          pip install ansible-core==2.12 ansible-builder pycodestyle voluptuous pylint pyyaml ansible-lint
+          ansible-galaxy collection install -r builder/requirements.yml -p /usr/share/ansible/collections
+          ansible-galaxy role install -r builder/requirements.yml -p /usr/share/ansible/roles
+
+      - name: Report Ansible version, collections, and roles
+        run: |
+          ansible --version
+          ansible-galaxy collection list
+          ansible-galaxy role list
+      
+      - name: Set up Ansible collection dependencies
+        run: |
+          ansible-builder introspect \
+            --write-pip final_python.txt --write-bindep final_bindep.txt \
+            /usr/share/ansible/collections
+          pip install -r final_python.txt
+          sudo apt-get -y install $(cat final_bindep.txt)
+      
+      - name: Report installed Python dependencies
+        run: pip freeze
+      
+      - name: Validate collection
+        run: |
+          pushd /usr/share/ansible/collections/ansible_collections/cloudera/exe
+          #ansible-lint
+          #ansible-test sanity --test pep8
+          #ansible-test sanity --test validate-modules
+          #ansible-test units --requirements --color yes --redact
+          popd
+
+      # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+      - name: Save PR number
+        env:
+          PR_NUMBER: ${{ github.event.number }}
+        run: |
+          mkdir -p ./pr
+          echo $PR_NUMBER > ./pr/pr_number
+      
+      - name: Upload the PR number
+        uses: actions/upload-artifact@v3
+        with:
+          name: pr_number
+          path: pr/
diff --git a/bindep.txt b/bindep.txt
@@ -0,0 +1,13 @@
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
diff --git a/builder/requirements.yml b/builder/requirements.yml
@@ -0,0 +1,19 @@
+---
+
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+collections:
+  - source: .
+    type: dir
diff --git a/galaxy.yml b/galaxy.yml
@@ -1,6 +1,6 @@
 ---
 
-# Copyright 2022 Cloudera, Inc. All Rights Reserved.
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@
 
 namespace: cloudera
 name: exe
-version: 1.7.2
+version: 1.7.3
 readme: README.md
 authors:
 - Webster Mudge <wmudge@cloudera.com>
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
-# Copyright 2022 Cloudera, Inc. All Rights Reserved.
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -22,8 +22,4 @@ cryptography>=2.3.1
 
 # Ansible 
 jmespath                # community.general.json_query
-netaddr                 # ansible.netcommon.ipaddr
 molecule[lint]==3.4     # Pinned due to https://github.com/ansible-community/molecule/issues/3243
-
-# CDPCLI / cdpy
-git+https://github.com/cloudera-labs/cdpy@main#egg=cdpy
