chore: Execution Environment container image is now built on version release #26

Author: adambaumeister

.github/workflows/ee.yml

@@ -0,0 +1,78 @@
+---
+name: CI
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+' # Matches tags like v1.0.0, v2.1.5, etc. This CI gets triggered by Semantic release.
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+
+      - name: Set up Python
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4
+        with:
+          python-version: 3.11
+
+      - name: Install Ansible Builder
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible-builder
+
+      - name: Build docker context
+        run: |
+          ansible-builder create -f meta/execution-environment.yml --output-filename Dockerfile
+
+      - name: login to GHCR
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: List directories
+        run: |
+          ls -l ./context
+
+      # produce docker tags for semver if on a tag, otherwise take ref branch name
+      # latest tag is only produced for semver operating on a tag
+      - name: determine docker tags and labels
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
+        with: # labels and annotations are overwritten for image.title information
+          context: git # git - this ensures to reference the current git context instead of workflow context (context info ref/sha)
+          images: ghcr.io/paloaltonetworks/panos_policy_automation-rhel9
+          tags: |
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=semver,pattern=v{{major}}
+            type=ref,event=branch
+            type=ref,event=tag
+          labels: |
+            org.opencontainers.image.title=panos_policy_automation-rhel9
+          annotations: |
+            org.opencontainers.image.title=panos_policy_automation-rhel9
+
+      - name: build and publish
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
+        with:
+          context: "./context/"
+          file: "./context/Dockerfile"
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: ${{ inputs.release }}

.github/workflows/release_to_galaxy.yml

@@ -4,7 +4,7 @@ name: Release to Ansible repositories
 on:
   push:
     tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+' # Matches tags like v1.0.0, v2.1.5, etc. Note currently is not triggered by semantic release
+      - 'v[0-9]+.[0-9]+.[0-9]+' # Matches tags like v1.0.0, v2.1.5, etc. This CI gets triggered by Semantic release.
   workflow_dispatch:
 permissions:
   contents: write

docs/user_guide/demo_walkthrough.md

@@ -19,7 +19,13 @@ CCTV
 
 Example Web to DB
 
+Run the lookup first
 ```shell
-ansible-playbook -i inventory_real.yml --extra-vars=@example_vars_file_web_to_db.yml example_playbook.yml
+ansible-playbook -i inventory_real.yml --extra-vars=@./example_vars_file_web_to_db.yml paloaltonetworks.panos_policy_automation.examples.lookup_policy
 ```
 
+Then, run creation
+
+```shell
+ansible-playbook -i inventory_real.yml --extra-vars=@./example_vars_file_web_to_db.yml paloaltonetworks.panos_policy_automation.examples.create_policy
+```

meta/ee-requirements.txt

@@ -0,0 +1,6 @@
+setuptools
+netaddr>=1.3.0
+dpath>=2.1.5,<3.0 ; python_version >= "3.10" and python_version < "4.0"
+pan-os-python>=1.8,<2.0 ; python_version >= "3.10" and python_version < "4.0"
+panos-upgrade-assurance>=1.4,<2.0 ; python_version >= "3.10" and python_version < "4.0"
+xmltodict>=0.12.0,<0.15.0 ; python_version >= "3.10" and python_version < "4.0"

meta/execution-environment.yml

@@ -0,0 +1,21 @@
+---
+version: 3
+
+images:
+  base_image:
+    name: registry.access.redhat.com/ubi10/ubi:latest
+
+dependencies:
+  python: ee-requirements.txt
+  galaxy:
+    collections:
+      - community.general
+      - name: ansible.posix
+      - name: ansible.utils
+      - name: paloaltonetworks.panos_policy_automation
+  ansible_core:
+    package_pip: ansible-core>=2.16.0,<2.17
+  ansible_runner:
+    package_pip: ansible-runner
+build_arg_defaults:
+ ANSIBLE_GALAXY_CLI_COLLECTION_OPTS: '--ignore-certs'