Skip to content

Update ansible galaxy roles upload script #14281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ggbecker wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Update ansible galaxy roles upload script #14281

ggbecker wants to merge 7 commits into from
+135 −72

Conversation

@ggbecker
Copy link
Member

@ggbecker ggbecker commented Jan 8, 2026
edited
Loading

Description:

  • Update ansible galaxy roles upload script

Rationale:

TODO List

  • Remove print profile
  • Fix the .pyenv -> .pyenv.sh instruction
  • Update release guide with instructions on how to refresh the ansible roles in RedHatOfficial and ansible galaxy
  • Remove "elif repo.name not in potential_roles:" with "elif "ansible-role-rhel" in repo.name:"
-    os.system(
-        "git clone git@github.com:%s/%s" % (organization, repo))
-    os.system("ansible-galaxy init " + repo + " --force")
+    # 1. Initialize the Ansible role first (creates the directory)
+    os.system(f"ansible-galaxy init {repo}")
+
+    # 2. Change directory and initialize git
     os.chdir(repo)
     try:
+        os.system("git init --initial-branch=main")
+        os.system(f"git remote add origin git@github.com:{organization}/{repo}")

Draft Docs:

1 - Download the latest released upstream scap-security-guide that contains the built playbooks

	https://github.com/ComplianceAsCode/content/releases

2 - In your ComplianceAsCode/content switch to the target tag of release, for example git checkout v0.1.79

3 - Make sure that product allow list in the script contains all the correct RHEL major versions, if it wasn't updated already in the upstream

For example:
	https://github.com/ComplianceAsCode/content/blob/f266b7fdac909a3ce84fdda61355437e00ed761b/utils/ansible_playbook_to_role.py#L65

3 - Get a token from your github account https://github.com/settings/tokens that can access the RedHatOfficial repos and commit to them


4 - Switch the env to the ssg with source .pyenv.sh and then install pygithub if not installed yet, by running pip install "PyGithub>=1.58.2,<2.0"


5 - Then run the following command, replacing the token (it's also possible to use a github user/password combination if the token is not provided)

	$python utils/ansible_playbook_to_role.py --build-playbooks-dir /built/ansible/playbooks_dir --token <github_dev_toke> --tag-release

@ggbecker ggbecker added this to the 0.1.80 milestone Jan 8, 2026
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 8, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 8, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link

github-actions bot commented Jan 8, 2026
edited
Loading

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

@ggbecker
Change logic of updating ansible roles to galaxy.
4e0777f 
Previously, there was a allowlist for profiles to be uploaded, with that
many new supported profiles were not being included in the ansible
galaxy. Inverting the logic to a denylist will make any supported
ansible role for the supported products to be uploaded automatically.

At the time of this commit, profiles such as

bsi
ccn_advanced
ccn_basic
ccn_intermediate
cis_server_l1
cis_workstation_l1
cis_workstation_l2
stig_gui

were not being uploaded to ansible galaxy.
@ggbecker
Invert logic of detecting the main branch in the RedHatOfficial.
2a6cf96 
This makes the script future proof.
@ggbecker
Instruct user to install specific pygithub version in ansible roles.
7ed3419 
This version is required to work with the current implementation of the
script. A new pygithub 2.0 version was released and broke compatibility.
@ggbecker
Fix how new repositories are initialized.
0cdc273 
The ansible galaxy init command was deleting the .git folder from
a net new repository, making it unable to push the initial code to the
fresh repo for a brand new ansible role.

It's also fixed the missing variable for the potential collections, we
now simply check if the repo name contains the prefix ansible-role-rhel.
@ggbecker
Add dependencies to our ansible roles meta data.
380d0b0 
These dependencies should be now installed by default whenever someone
tries to install the CaC ansible roles.

Fixes: ComplianceAsCode#9067
@ggbecker
Add release documentation for ansible galaxy update.
10223f2
@ggbecker
Update script that fetches repo for ansible galaxy update.
ce153a6 
The script now uses pygithub to fetch the RedHatOfficial repositories to
be updated and requires a github token as well to run.

The release documentation has been updated to reflect this update.
@ggbecker ggbecker force-pushed the update-ansible-roles-script branch from 930e1fc to ce153a6 Compare January 9, 2026 15:00
@ggbecker ggbecker marked this pull request as ready for review January 9, 2026 15:02
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

Ansible Galaxy Role Documentation Improvement redhatofficial.rhel8_stig

1 participant

@ggbecker