Update the CI template

.ci/run_container.sh

@@ -1,14 +1,5 @@
 #!/bin/sh
 
-# This file is shared between some projects please keep all copies in sync
-# Known places:
-#   - https://github.com/pulp/pulp-cli/blob/main/.ci/run_container.sh
-#   - https://github.com/pulp/pulp-cli-deb/blob/main/.ci/run_container.sh
-#   - https://github.com/pulp/pulp-cli-gem/blob/main/.ci/run_container.sh
-#   - https://github.com/pulp/pulp-cli-maven/blob/main/.ci/run_container.sh
-#   - https://github.com/pulp/pulp-cli-ostree/blob/main/.ci/run_container.sh
-#   - https://github.com/pulp/squeezer/blob/develop/tests/run_container.sh
-
 set -eu
 
 BASEPATH="$(dirname "$(readlink -f "$0")")"
@@ -25,6 +16,16 @@ then
 fi
 export CONTAINER_RUNTIME
 
+TMPDIR="$(mktemp -d)"
+
+cleanup () {
+  "${CONTAINER_RUNTIME}" stop pulp-ephemeral && true
+  rm -rf "${TMPDIR}"
+}
+
+trap cleanup EXIT
+trap cleanup INT
+
 if [ -z "${KEEP_CONTAINER:+x}" ]
 then
   RM="yes"
@@ -47,12 +48,36 @@ else
     SELINUX=""
 fi;
 
-"${CONTAINER_RUNTIME}" run ${RM:+--rm} --env S6_KEEP_ENV=1 ${PULP_API_ROOT:+--env PULP_API_ROOT} --detach --name "pulp-ephemeral" --volume "${BASEPATH}/settings:/etc/pulp${SELINUX:+:Z}" --publish "8080:80" "ghcr.io/pulp/pulp:${IMAGE_TAG}"
+mkdir -p "${TMPDIR}/settings/certs"
+cp "${BASEPATH}/settings/settings.py" "${TMPDIR}/settings"
 
-# shellcheck disable=SC2064
-trap "${CONTAINER_RUNTIME} stop pulp-ephemeral" EXIT
-# shellcheck disable=SC2064
-trap "${CONTAINER_RUNTIME} stop pulp-ephemeral" INT
+if [ -z "${PULP_HTTPS:+x}" ]
+then
+  PROTOCOL="http"
+  PORT="80"
+  PULP_CONTENT_ORIGIN="http://localhost:8080/"
+else
+  PROTOCOL="https"
+  PORT="443"
+  PULP_CONTENT_ORIGIN="https://localhost:8080/"
+  python3 -m trustme -d "${TMPDIR}/settings/certs"
+  export PULP_CA_BUNDLE="${TMPDIR}/settings/certs/client.pem"
+  ln -fs server.pem "${TMPDIR}/settings/certs/pulp_webserver.crt"
+  ln -fs server.key "${TMPDIR}/settings/certs/pulp_webserver.key"
+fi
+export PULP_CONTENT_ORIGIN
+
+"${CONTAINER_RUNTIME}" \
+  run ${RM:+--rm} \
+  --env S6_KEEP_ENV=1 \
+  ${PULP_HTTPS:+--env PULP_HTTPS} \
+  ${PULP_API_ROOT:+--env PULP_API_ROOT} \
+  --env PULP_CONTENT_ORIGIN \
+  --detach \
+  --name "pulp-ephemeral" \
+  --volume "${TMPDIR}/settings:/etc/pulp${SELINUX:+:Z}" \
+  --publish "8080:${PORT}" \
+  "ghcr.io/pulp/pulp:${IMAGE_TAG}"
 
 echo "Wait for pulp to start."
 for counter in $(seq 40 -1 0)
@@ -67,23 +92,27 @@ do
   fi
 
   sleep 3
-  if curl --fail "http://localhost:8080${PULP_API_ROOT:-/pulp/}api/v3/status/" > /dev/null 2>&1
+  if curl --insecure --fail "${PROTOCOL}://localhost:8080${PULP_API_ROOT:-/pulp/}api/v3/status/" > /dev/null 2>&1
   then
     echo "SUCCESS."
     break
   fi
   echo "."
 done
 
-# show pulpcore/plugin versions we're using
-curl -s "http://localhost:8080${PULP_API_ROOT:-/pulp/}api/v3/status/" | jq '.versions|map({key: .component, value: .version})|from_entries'
-
 # Set admin password
 "${CONTAINER_RUNTIME}" exec "pulp-ephemeral" pulpcore-manager reset-admin-password --password password
 
+# Create pulp config
+PULP_CLI_CONFIG="${TMPDIR}/settings/certs/cli.toml"
+export PULP_CLI_CONFIG
+pulp config create --overwrite --location "${PULP_CLI_CONFIG}" --base-url "${PROTOCOL}://localhost:8080" ${PULP_API_ROOT:+--api-root "${PULP_API_ROOT}"} --username "admin" --password "password"
+# show pulpcore/plugin versions we're using
+pulp --config "${PULP_CLI_CONFIG}" --refresh-api status
+
 if [ -d "${BASEPATH}/container_setup.d/" ]
 then
-  run-parts --regex '^[0-9]+-[-_[:alnum:]]*\.sh$' "${BASEPATH}/container_setup.d/"
+  run-parts --exit-on-error --regex '^[0-9]+-[-_[:alnum:]]*\.sh$' "${BASEPATH}/container_setup.d/"
 fi
 
 PULP_LOGGING="${CONTAINER_RUNTIME}" "$@"

.ci/scripts/collect_changes.py

@@ -101,7 +101,7 @@ def main():
             for change in main_changes:
                 fp.write(change[1])
 
-        repo.git.commit("-m", "Update Changelog", "-m" "[noissue]", CHANGELOG_FILE)
+        repo.git.commit("-m", "Update Changelog", CHANGELOG_FILE)
 
 
 if __name__ == "__main__":

.ci/scripts/create_release_branch.sh

@@ -23,6 +23,11 @@ git branch "${NEW_BRANCH}"
 # Clean changelog snippets.
 find CHANGES/ \( -name "*.feature" -o -name "*.bugfix" -o -name "*.removal" -o -name "*.doc" -o -name "*.translation" -o -name "*.devel" -o -name "*.misc" \) -exec git rm -f \{\} +
 
-bump-my-version bump minor --commit --message $'Bump version to {new_version}\n\n[noissue]' --allow-dirty
+bump-my-version bump minor --commit --message $'Bump version to {new_version}' --allow-dirty
 
 git push origin "${NEW_BRANCH}"
+
+if [ "${GITHUB_ENV:-}" ]
+then
+  echo "NEW_BRANCH=${NEW_BRANCH}" >> "${GITHUB_ENV}"
+fi

.ci/scripts/validate_commit_message.py

@@ -17,12 +17,15 @@
     r"DO\s*NOT\s*MERGE",
     "EXPERIMENT",
 ]
-NO_ISSUE = "[noissue]"
 CHANGELOG_EXTS = [f".{item['directory']}" for item in PYPROJECT_TOML["tool"]["towncrier"]["type"]]
+NOISSUE_MARKER = "[noissue]"
 
 sha = sys.argv[1]
 message = subprocess.check_output(["git", "log", "--format=%B", "-n 1", sha]).decode("utf-8")
 
+if NOISSUE_MARKER in message:
+    sys.exit("Do not add '[noissue]' in the commit message.")
+
 if any((re.match(pattern, message) for pattern in BLOCKING_REGEX)):
     sys.exit("This PR is not ready for consumption.")
 
@@ -61,13 +64,5 @@ def check_changelog(issue):
         if not cherry_pick:
             check_status(issue)
             check_changelog(issue)
-else:
-    if NO_ISSUE in message:
-        print("Commit {sha} has no issues but is tagged {tag}.".format(sha=sha[0:7], tag=NO_ISSUE))
-    else:
-        sys.exit(
-            "Error: no attached issues found for {sha}. If this was intentional, add "
-            " '{tag}' to the commit message.".format(sha=sha[0:7], tag=NO_ISSUE)
-        )
 
 print("Commit message for {sha} passed.".format(sha=sha[0:7]))

.ci/settings/settings.py

@@ -1,3 +1,4 @@
-CONTENT_ORIGIN = "http://localhost:8080/"
 ALLOWED_EXPORT_PATHS = ["/tmp"]
-TELEMETRY = False
+ORPHAN_PROTECTION_TIME = 0
+ANALYTICS = False
+ALLOWED_CONTENT_CHECKSUMS = ["sha1", "sha256", "sha512"]

.github/dependabot.yml

@@ -4,13 +4,13 @@ updates:
   directory: "/"
   schedule:
     interval: daily
-  open-pull-requests-limit: 10
   commit-message:
-    prefix: "[noissue]"
+    prefix: "[PIP] "
+  open-pull-requests-limit: 10
 - package-ecosystem: github-actions
   directory: "/"
   schedule:
-    interval: daily
-  open-pull-requests-limit: 10
+    interval: weekly
   commit-message:
-    prefix: "[noissue]"
+    prefix: "[GHA] "
+  open-pull-requests-limit: 10

.github/workflows/build.yml

@@ -1,3 +1,4 @@
+---
 name: "Build"
 
 on:
@@ -34,3 +35,4 @@ jobs:
             dist/
           if-no-files-found: "error"
           retention-days: 5
+...

.github/workflows/codeql.yml

@@ -1,3 +1,4 @@
+---
 name: "CodeQL"
 
 on:
@@ -18,28 +19,13 @@ jobs:
     steps:
       - name: "Checkout repository"
         uses: "actions/checkout@v4"
-      - uses: "actions/cache@v4"
-        with:
-          path: "~/.cache/pip"
-          key: "${{ runner.os }}-pip-${{ hashFiles('**/*requirements.txt', '**/*constraints.lock', '**/setup.py', '**/pyproject.toml') }}"
-          restore-keys: |
-            ${{ runner.os }}-pip-
-
-      - name: "Set up Python"
-        uses: "actions/setup-python@v5"
-        with:
-          python-version: "3.11"
-      - name: "Manually install from sources"
-        run: |
-          python -m pip install -e . -e ./pulp-glue-ostree
-          echo "CODEQL_PYTHON=$(which python)" >> "$GITHUB_ENV"
       - name: "Initialize CodeQL"
         uses: "github/codeql-action/init@v3"
         with:
           languages: "python"
-          setup-python-dependencies: false
 
       - name: "Perform CodeQL Analysis"
         uses: "github/codeql-action/analyze@v3"
         with:
           category: "/language:python"
+...

.github/workflows/collect_changes.yml

@@ -1,3 +1,4 @@
+---
 name: "Collect changes"
 on:
   workflow_call:
@@ -30,3 +31,4 @@ jobs:
           body: ""
           branch: "update_changes"
           delete-branch: true
+...

.github/workflows/lint.yml

@@ -1,3 +1,4 @@
+---
 name: "Lint"
 
 on:
@@ -35,3 +36,4 @@ jobs:
       - name: "Lint code"
         run: |
           make lint
+...

.github/workflows/nightly.yml

@@ -1,3 +1,4 @@
+---
 name: "pulp-cli Nightly"
 
 on:
@@ -17,3 +18,4 @@ jobs:
   collect_changes:
     uses: "./.github/workflows/collect_changes.yml"
     secrets: "inherit"
+...

.github/workflows/pr.yml

@@ -1,3 +1,4 @@
+---
 name: "pulp-cli CI"
 
 on:
@@ -64,3 +65,4 @@ jobs:
           echo '${{toJson(needs)}}' | jq -r 'to_entries[]|select(.value.result!="success")|.key + ": " + .value.result'
           echo '${{toJson(needs)}}' | jq -e 'to_entries|map(select(.value.result!="success"))|length == 0'
           echo "CI says: Looks good!"
+...

.github/workflows/pr_checks.yml

@@ -13,43 +13,48 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  single_commit:
+  apply_labels:
     runs-on: "ubuntu-latest"
-    name: "Label multiple commit PR"
+    name: "Label PR"
     permissions:
       pull-requests: "write"
     steps:
       - uses: "actions/checkout@v4"
         with:
           fetch-depth: 0
-      - name: "Commit Count Check"
+      - uses: "actions/setup-python@v5"
+        with:
+          python-version: "3.12"
+      - name: "Determine PR labels"
         run: |
+          pip install GitPython==3.1.42
           git fetch origin ${{ github.event.pull_request.head.sha }}
-          echo "COMMIT_COUNT=$(git log  --oneline --no-merges origin/${{ github.base_ref }}..${{ github.event.pull_request.head.sha }} | wc -l)" >> "$GITHUB_ENV"
+          python .ci/scripts/pr_labels.py "origin/${{ github.base_ref }}" "${{ github.event.pull_request.head.sha }}" >> "$GITHUB_ENV"
       - uses: "actions/github-script@v7"
+        name: "Apply PR Labels"
         with:
           script: |
-            const labelName = "multi-commit";
-            const { COMMIT_COUNT } = process.env;
+            const { ADD_LABELS, REMOVE_LABELS } = process.env;
 
-            if (COMMIT_COUNT == 1)
-            {
-              try {
-                await github.rest.issues.removeLabel({
-                  issue_number: context.issue.number,
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  name: labelName,
-                });
-              } catch(err) {
+            if (REMOVE_LABELS.length) {
+              for await (const labelName of REMOVE_LABELS.split(",")) {
+                try {
+                  await github.rest.issues.removeLabel({
+                    issue_number: context.issue.number,
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    name: labelName,
+                  });
+                } catch(err) {
+                }
               }
             }
-            else
-            {
+            if (ADD_LABELS.length) {
               await github.rest.issues.addLabels({
                 issue_number: context.issue.number,
                 owner: context.repo.owner,
                 repo: context.repo.repo,
-                labels: [labelName],
+                labels: ADD_LABELS.split(","),
               });
             }
+...

.github/workflows/publish.yml

@@ -1,3 +1,4 @@
+---
 name: "pulp-cli Publish"
 
 on:
@@ -35,3 +36,4 @@ jobs:
           twine upload dist/*
           cd ..
           twine upload dist/*
+...

.github/workflows/release.yml

@@ -1,3 +1,4 @@
+---
 name: "pulp-cli Release"
 
 on:
@@ -26,3 +27,4 @@ jobs:
       - name: "Release"
         run: |
           .ci/scripts/release.sh
+...

.github/workflows/release_branch.yml

@@ -30,3 +30,17 @@ jobs:
           body: ""
           branch: "bump_version"
           delete-branch: true
+      - name: "Add Backport Label for new Branch"
+        uses: "actions/github-script@v7"
+        with:
+          script: |
+            const { NEW_BRANCH } = process.env;
+            const labelName = "backport-" + NEW_BRANCH;
+
+            await github.rest.issues.createLabel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              name: labelName,
+              color: "C8780A",
+            });
+...