Migrate the Puppet forge publish procedure contained in the `Packages_builder` pipeline to GHA

[teddytpc1]

Objective
https://github.com/wazuh/wazuh-packages/issues/2904

Description

Because of the Wazuh packages redesign tier 2 objective we need to migrate the Puppet forge build and publication from the Packages_builder pipeline to a GHA.

Tasks

• [x] Replicate the Puppet forge build from the Jenkins pipeline, in the new Jenkins.
• [x] Upload the TAR file to S3 to the corresponding pre-release location
• [x] Test the pipeline and provide evidence.

Changes

• [x] Request permission to upload files to the packages-dev.internal.wazuh.com. https://github.com/wazuh/internal-devel-requests/issues/1555
• [x] Ask the QA team for the location/folder to upload the files. Take into account that the Puppet module name cannot be modified. https://github.com/wazuh/internal-devel-requests/issues/1555
• [x] Modify the puppet_module_builder_gha_workflow policy to only allow performing actions within the packages-dev.internal.wazuh.com in the previously defined folder.
• [x] The Puppet module must be only uploaded to packages-dev.internal.wazuh.com
• [x] The workflow must allow uploading from a branch (remove the condition).

Additional changes

• [x] Add the revision to the metadata.json file (-1 by default). In case of a new revision, the value will be updated in the new branch for that release/revision.
• [x] Modify the workflow logic. If the is_stage GHA input is false the value of the version in metadata.json should be updated before the module generation. The new name will have the module version, revision, and commit. This will replace the current Modify name for stage build step.

[vcerenu]

The workflow for creating the Wazuh Puppet module was created in the wazuh/wazuh-puppet repository and its execution was tested: https://github.com/wazuh/wazuh-puppet/actions/runs/10813987146

It was verified that the workflow creates the module, uploads it as an artifact to Github Actions and the functionality of uploading the file to the corresponding S3 bucket was also tested.

[jnasselle]

Hi @vcerenu ,

Here are some specs regarding this issue that are related to the https://github.com/wazuh/internal-devel-requests/issues/187 criteria:

• Package naming: given the fact that it's critical to distinguish between dev and packages (candidate and not candidate), the name could be wazuh-wazuh-4.9.0_<shortcommitsha>.tar.gz for dev and wazuh-wazuh-4.9.0.tar.gz for candidates (see is_stage).
• Package location: There's no clear criteria about what's main or secondary, but IMO packages should be stored at s3://packages-dev.internal.wazuh.com/development/wazuh/4.x/secondary/puppet-module/
• GHA inputs: please, in order to maintain the same vocabulary as possible, see other GHA and align the input names

NOTE:

• 4.x should be interpreted as MAJOR.x
• 4.9.0 should be interpreted as MAJOR.MINOR.PATCH

[vcerenu]

Description

The upload path to S3 was modified, the name of the Puppet module file was added for executions of different stages before the production package, and the workflow inputs were modified to have a better relationship with the other workflows created.

Test

Execution for stage environments: https://github.com/wazuh/wazuh-puppet/actions/runs/10888749953

Execution for Production environments: https://github.com/wazuh/wazuh-puppet/actions/runs/10888742198

[vcerenu]

Update

Added modification of the key version value within the metadata.json file and added a stage to modify it in case of a development version.

Test

https://github.com/wazuh/wazuh-puppet/actions/runs/10909059398

[vcerenu]

Update

The revision number was deleted from metadata file.

Tests:

Stage Execution: https://github.com/wazuh/wazuh-puppet/actions/runs/10940166613

No stage execution: https://github.com/wazuh/wazuh-puppet/actions/runs/10940152573

[jnasselle]

I am reopening this issue because our package generation script needs an undocumented mandatory input field and behaviors.

Specs:

• Name:

run-name: Puppet module ${{ inputs.is_stage && ' - is stage' || '' }}${{ inputs.checksum && ' - checksum' || '' }} ${{ inputs.id }}

• Inputs EDIT: inputs should exist on both workflow_dispatch and workflow_call in order to be aligned with already GHA development
  • workflow_call

    id:
    type: string
    required: false
    checksum:
    type: boolean
    required: false

  • workflow_dispatch

    id:
    type: string
    description: |
      ID used to identify the workflow uniquely.
    required: false
    checksum:
    type: boolean
    description: |
      Generate package checksum.
      Default is 'false'.
    required: false

• Checksum should be uploaded into the same place of the package with the same name but adding the suffix .sha512

[jnasselle]

Checksum development was here https://github.com/wazuh/wazuh-puppet/pull/1119