Pull Request workflow and ansible-builder support (#104)

* Add PR validation workflows
* Add support to ansible-builder
* Increment collection to 3.4.1 and clean up
Signed-off-by: Webster Mudge <wmudge@cloudera.com>

Author: wmudge

.github/workflows/label_pr.yml

@@ -0,0 +1,68 @@
+---
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
+name: Label validated Pull Request
+
+on:
+  workflow_run:
+    workflows: ["Validate Pull Request"]
+    types:
+      - completed
+
+jobs:
+  label:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: Download the PR number artifact
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr_number"
+            })[0];
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            let fs = require('fs');
+            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr_number.zip`, Buffer.from(download.data));
+
+      - name: 'Unzip artifact'
+        run: unzip pr_number.zip
+
+      - name: Read the PR number
+        id: read
+        run: echo "pr_number=$(cat pr_number)" >> $GITHUB_OUTPUT
+
+      - name: Label the PR
+        uses: actions-ecosystem/action-add-labels@v1
+        with:
+          labels: validated
+          number: ${{ steps.read.outputs.pr_number }}

.github/workflows/reset_pr.yml

@@ -0,0 +1,39 @@
+---
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Reset Pull Request validation label
+
+on:
+  pull_request_target:
+    types:
+      - reopened
+      - synchronize
+      - ready_for_review
+    branches:
+      - 'release/**'
+      - 'devel'
+      - 'devel-pvc-base'
+
+jobs:
+  reset:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Reset the PR label
+        uses: actions-ecosystem/action-remove-labels@v1
+        with:
+          labels: validated

.github/workflows/validate_pr.yml

@@ -0,0 +1,83 @@
+---
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Validate Pull Request
+
+on:
+  pull_request:
+    branches:
+      - 'release/**'
+      - 'devel'
+      - 'devel-pvc-base'
+    
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Python and caching
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+          cache: 'pip'
+      
+      - name: Set up Ansible collections
+        run: |
+          sudo update-alternatives --install /usr/bin/python python $(which python3) 1
+          pip install ansible-core==2.12 ansible-builder pycodestyle voluptuous pylint pyyaml ansible-lint
+          ansible-galaxy collection install -r builder/requirements.yml -p /usr/share/ansible/collections
+          ansible-galaxy role install -r builder/requirements.yml -p /usr/share/ansible/roles
+
+      - name: Report Ansible version, collections, and roles
+        run: |
+          ansible --version
+          ansible-galaxy collection list
+          ansible-galaxy role list
+      
+      - name: Set up Ansible collection dependencies
+        run: |
+          ansible-builder introspect \
+            --write-pip final_python.txt --write-bindep final_bindep.txt \
+            /usr/share/ansible/collections
+          pip install -r final_python.txt
+          sudo apt-get -y install $(cat final_bindep.txt)
+      
+      - name: Report installed Python dependencies
+        run: pip freeze
+      
+      - name: Validate collection
+        run: |
+          pushd /usr/share/ansible/collections/ansible_collections/cloudera/cluster
+          #ansible-lint
+          #ansible-test sanity --test pep8
+          #ansible-test sanity --test validate-modules
+          #ansible-test units --requirements --color yes --redact
+          popd
+
+      # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+      - name: Save PR number
+        env:
+          PR_NUMBER: ${{ github.event.number }}
+        run: |
+          mkdir -p ./pr
+          echo $PR_NUMBER > ./pr/pr_number
+      
+      - name: Upload the PR number
+        uses: actions/upload-artifact@v3
+        with:
+          name: pr_number
+          path: pr/

bindep.txt

@@ -0,0 +1,20 @@
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ansible.posix.patch
+patch [platform:rpm]
+
+# community.general.ipa_user
+hashlib [platform:rpm]
+base64 [platform:rpm]

builder/requirements.yml

@@ -0,0 +1,26 @@
+---
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+collections:
+  - source: .
+    type: dir
+
+roles:
+  - name: geerlingguy.postgresql
+    version: 2.2.0
+
+  # geerlingguy.mysql with fix for issue #332
+  - src: https://github.com/dbeech/ansible-role-mysql
+    version: master

galaxy.yml

@@ -1,4 +1,4 @@
-# Copyright 2022 Cloudera, Inc.
+# Copyright 2023 Cloudera, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,49 +12,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-### REQUIRED
-
-# The namespace of the collection. This can be a company/brand/organization or product namespace under which all
-# content lives. May only contain alphanumeric characters and underscores. Additionally namespaces cannot start with
-# underscores or numbers and cannot contain consecutive underscores
 namespace: cloudera
-
-# The name of the collection. Has the same character restrictions as 'namespace'
 name: cluster
+version: 3.4.1
 
-# The version of the collection. Must be compatible with semantic versioning
-version: 3.4.0
-
-# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
-readme: README.md
-
-# A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
-# @nicks:irc/im.site#channel'
 authors: []
-
-
-### OPTIONAL but strongly recommended
-
-# A short summary description of the collection
-description: Cloudera assets for managing Cloudera Clusters
-
-# Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
-# accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'
-#license:
-#- GPL-2.0-or-later
-
-# The path to the license file for the collection. This path is relative to the root of the collection. This key is
-# mutually exclusive with 'license'
+readme: README.md
+description: Cloudera assets for managing Cloudera clusters
 license_file: 'LICENSE'
-
-# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
-# requirements as 'namespace' and 'name'
 tags: []
 
-# Collections that this collection requires to be installed for it to be usable. The key of the dict is the
-# collection label 'namespace.name'. The value is a version range
-# L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version
-# range specifiers can be set and are separated by ','
 dependencies:
   'ansible.posix': '1.3.0'
   'community.crypto': '2.2.1'
@@ -63,14 +30,7 @@ dependencies:
   'community.postgresql': '1.6.1'
   'freeipa.ansible_freeipa': '1.6.2'
 
-# The URL of the originating SCM repository
 repository: https://github.com/cloudera-labs/cloudera.cluster
-
-# The URL to any online docs
 documentation: https://github.com/cloudera-labs/cloudera.cluster
-
-# The URL to the homepage of the collection/project
 homepage: https://github.com/cloudera-labs/cloudera.cluster
-
-# The URL to the collection issue tracker
 issues: https://github.com/cloudera-labs/cloudera.cluster/issues

requirements.txt

@@ -0,0 +1,16 @@
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# For community.general.json_query filter
+jmespath