Uv (https://docs.astral.sh/uv/) is not declared as a dependency for a
Python project, it must be available somehow in the system. This role
installs it if missing.
- Latest version is installed, unless `ensure_uv_version` is
informed.
- The installed executable path is set as the `uv_executable` fact.
- The `/usr/local/bin/uv` symlink can also be created if
`ensure_uv_global_symlink: true`.
This new role is a verbatim copy of the `ensure-poetry` role, just doing
a `s/poetry/uv/g`. Even this commit is a replay of the commit adding
that role: 524b7e7b95dcd6adc311e74dd7f0e6da8a3cce58.
Change-Id: I55bc5e1d273045d0978b09f719bf79a875336e30
pyproject-build (https://build.pypa.io/) is used as a pyproject (PEP
517) build frontend. This role installs it if missing.
This new role is basically a copy of the `ensure-poetry` role, in
turn copied from other roles in this repository.
Change-Id: If6e3970d995256beea170cad039d7dba9538d191
This adds a role (and job) to mirror container images from one
registry to another.
Also, disable the name[template] ansible-lint check because it
greatly reduces the utility of including templates in task names.
Change-Id: Id01295c51b67ffb7e98637c6cdcc4e7a14c92b22
The trademark for the logo, as filed, is specified as dark blue.
That logo needs to be displayed in a user guide or manual or
alongside a direct download of the software in order to demonstrate
continued use of the mark, and the foundation's trademark lawyers
have expressed concern that a white version is insufficient (but
they seem to be okay with the current background color as long as
the lines of the logo are colored similar to the version on file).
This is a copy of the equivalent change from the zuul repository.
Co-Authored-By: James E. Blair <jim@acmegating.com>
Depends-On: https://review.opendev.org/934443
Change-Id: I2de26048c3a4cb8cb6b67bf786b526963c6ec04b
The blockdiag/seqdiag set of tools and their sphinx extensions are no
longer maintained. This hasn't been a huge issue until we started
running jobs on Python3.12 as we need to run an older version of Pillow
to support these tools and that needs special libs to build wheels on
python3.12.
Rather than continue to try and make old unmaintained tools work we
switch to graphviz which is maintained and has support built into
sphinx. This does require us to install graphviz as a system dep but
that seems like a reasonable tradeoff for using supported tooling.
The resulting graph specifications are also slightly more verbose.
Co-Authored-By: James E. Blair <jim@acmegating.com>
Change-Id: I2d1e4c3d648723402aae2d87fb3233f4418d5003
This adds a role convert-diskimage which uses the qemu-img tool to
convert diskimages from one format to another. Currently supported image
formats are raw and qcow2.
Change-Id: I4770af04c37f39e0cce23d5dd59ead744bed7d74
Poetry (https://python-poetry.org) is not declared as a dependency for a
Python project, it must be available somehow in the system. This role
installs it if missing.
- Latest version is installed, unless `ensure_poetry_version` is
informed.
- The installed executable path is set as the `poetry_executable` fact.
- The `/usr/local/bin/poetry` symlink can also be created if
`ensure_poetry_global_symlink: true`.
This new role is basically a copy of the `ensure-nox` role with the
symlink creation snippet taken from the `ensure-tox` role.
The commit adding `ensure-nox` (77b1b24) has been taken as an example of
the necessary changes when adding a new role.
Change-Id: I5592d38d415a9d74055348406653b69f110541ae
Python 3.12 is a thing now and is present in a stable Linux distro
release (Ubuntu Noble). It seems reasonable for people to want to run
nox and tox against py312 targets. Let's make it easy for them and add
jobs to do that for them.
Change-Id: I9d644cfbe65b92207a5fe2ad6dd950093bda87dd
This change is preparation for https://review.opendev.org/c/zuul/zuul-jobs/+/887917
In the beginning, there was only prepare-workspace[0] which rsynced repos.
Then we added mirror-workspace-git[1] to make it more efficient by using git operation, but it required some openstack-specific code in project-config to work.
Then we added prepare-workspace-git[2] which completed the git-based sync solution by locating everything requried in zuul-jobs. It used mirror-workspace-git by reference and added this TODO:
# TODO(tobiash): we might want to deprecate the role mirror-workspace-git-repos
# and move it here.
This change completes that TODO by moving the mirror-workspace-git-repos code into prepare-workspace-git and places the repo in a sensible and maintainable state with two simple and good options:
* prepare-workspace (rsync)
* prepare-workspace-git (git)
In the unlikely event anyone is still using mirror-workspace-git-repos standalone (OpenStack/OpenDev is not, and that solution was haphazard as described above) they would be well served by a notification that there is a better alternative which is what most of the community actually uses now.
[0] cfffd4431b8efc2f4df1999ecb89384a29c59238
[1] 348598e96aac742954fa326a15a4ef8fd7f71b8b
[2] 7cee7156bcde8bc396ac4b6581bf2cae02eea0e9
Change-Id: Ib80e0447d49363182fd0d4c4d4e269841bc3aa95
We added nox somewhat recently and set it up to mimic existing tox jobs.
This meant adding py27 jobs. Since then (in OpenDev at least) only a
single project has used the py27 job: Bindep. Bindep is dropping support
for python2.7 as the need for it has come to an end. Additionally, nox
doesn't work with python2.7 out of the box due to a virtualenv
dependency that ends up being too new for python2.7 venv creation.
Rather than hack around that let's drop python2.7 job support.
Change-Id: I52c07b01ad173304c19b13a10927fdadf9d84170
This adds a new role that can be used to ensure a quay repo exists
before publishing to it. This is particularly useful for creating public
repos in quay as simply pushing to a repo with quay will create a
private repo by default.
Change-Id: I979f1b9b64f901bb8d54b8991bb9142b18b6330f
This is a role to abstract removal of tags from registries, which is
an operation that practically has to be done via the registry API.
This implements removing tags from the quay and docker API's.
For the common case of working with a repository like
"quay.io/org/project" there is minimal configuration. However, if you
run a private repository, this is flexible with a few extra variables
to tell the role to use the quay API but your own URL.
By default it clears out old tags from the Zuul promote pipeline.
However if you set registry_tag_remove_tag it will only remove that
one tag.
This is inspired by the current work done in promote-docker-image
role.
Change-Id: I7f2d9d00024e34451e2d20b2c2f8171ecd151943
This role uses skopeo to perform image operations.
Also update the container roles docs to add missing documentation
for the already existing upload-container-image role. Clarify
some ambiguity about the registry and repository attributes of
the container images data structure.
Change-Id: Ib66c85daf0edacf0dd797ab34b0d629f99c7111b
Co-Authored-By: James E. Blair <jim@acmegating.com>
The enable-fips role has been refactored to support both centos/rhel and
Ubuntu.
In addition, for the Ubuntu tasks, a small role is added to enable a
Ubuntu Advantage subscription. This is required because Ubuntu requires
a subscription to enable FIPS. This role takes a subscription key as a
parameter (ubuntu_ua_token.token).
In Openstack, this is provided by the openstack-fips job in
openstack/project-config, which will be the base job for OpenStack jobs.
This job will provide the ubuntu_ua_token.token.
Change-Id: I47a31f680172b47584510adb672b68498a85bd32
The default base job nodeset is moving from focal to jammy. Jammy
doesn't have python3.8 to run these jobs. Address that by explicitly
forcing these jobs to run on focal.
Change-Id: I57433092ea2afbec4546659ea20f31161cc41a6e
This role will do basic checks to confirm that the node is
sufficiently up to continue afer a reboot.
Change-Id: Iebf474c9351e4246d7ab2072b48a50e93dbf0b94
This is a copy of prepare-workspace-git except that it imports
test-mirror-workspace-git-repos. This is for base job testing.
Change-Id: I4ef3e4376c9e958761c165836c4fb546157e237a
This adds roles that, similar to add-build-sshkey, create a per-build
WinRM certificate, install it on remote windows nodes, and then switch
to using the certificate in Ansible for authentication. A second role
is included which can clean up the cert which is useful for static
nodes.
Since winrm certificates must be acessible within the bubblewrap
container, these roles can be used to restrict the system-wide winrm
cert to trusted playbooks while untrusted playbooks will only have access
to the per-build cert (with appropriate configuration of the executor).
Change-Id: I4efe25594c2f543886a000aa02fb0a38683a43cb
To match change I2870450ffd02f55509fcc1297d050b09deafbfb9 in Zuul.
This does not use the versioning feature due to the nature of this repo.
This also corrects a reference which is now an error.
Change-Id: Ia1d31df932b447f11bc588925de9974d4f6dfc7d
FIPS needs to be enabled before test-setup is run, as enabling
FIPS requires the node to be rebooted, test-setup needs to run and
setup the environment after the reboot.
Change-Id: I6fecb9c6e917d1a36b2b82c1b02098eed4323ac7
This patch adds a new multinode job definition that enables
FIPS mode prior to multinode configuration.
In order to enable FIPS mode, the OS boot procedure need to be
changed to enable the appropriate kernel flag. This modification
has effect only after system reboot.
The default behavior of this job is to always enable FIPS mode.
Change-Id: I6f1365837d9ed2ba82c391a20f9094c9ef0e6c4e
Signed-off-by: Douglas Viroel <dviroel@redhat.com>
Update the deprecation policy to indicate that zuul-jobs is no
longer tested with EOL platforms. Also explicitly switch the minimum
Python 3 documented to 3.6, and add a note to the tox-py34 and
tox-py35 jobs mentioning that they're no longer directly tested.
Move those jobs to the deprecated jobs list as well, to help
reinforce the point that their continued use is not recommended.
Change-Id: I2edbf8ea010caf7a7641e0d88f360965fc0b96ab
