From 3dbad7e7375df6ad30f69497e6182bf30453b850 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Wed, 1 Oct 2025 22:48:01 +0200
Subject: [PATCH] ci(docker): add Ansible image publishing workflow

---
 .github/workflows/docker-publish.yml         | 44 ++++++++++++++++----
 ansible/Dockerfile                           |  6 +--
 requirements.txt => ansible/requirements.txt |  0
 3 files changed, 39 insertions(+), 11 deletions(-)
 rename requirements.txt => ansible/requirements.txt (100%)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 60bc8a6d..6fe074b9 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -18,6 +18,7 @@ env:
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
   IMAGE_NAME_UI: ${{ github.repository }}-ui
+  IMAGE_NAME_ANSIBLE: ${{ github.repository }}-ansible
 
 
 jobs:
@@ -61,22 +62,39 @@ jobs:
 
       # Extract metadata (tags, labels) for Docker
       # https://github.com/docker/metadata-action
-      - name: Extract Docker metadata
-        id: meta
+      - name: Extract Docker UI metadata
+        id: meta-ui
         uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_UI }}
 
+      - name: Extract Docker Ansible metadata
+        id: meta-ansible
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_ANSIBLE }}
+
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push UI Docker image
-        id: build-and-push
+        id: build-and-push-ui
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
           context: ui/.
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta-ui.outputs.tags }}
+          labels: ${{ steps.meta-ui.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build and push Ansible Docker image
+        id: build-and-push-ansible
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: ansible/.
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta-ui.outputs.tags }}
+          labels: ${{ steps.meta-ui.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -85,12 +103,22 @@ jobs:
       # repository is public to avoid leaking data.  If you would like to publish
       # transparency data even for private images, pass --force to cosign below.
       # https://github.com/sigstore/cosign
-      - name: Sign the published Docker image
+      - name: Sign the published UI Docker image
         if: ${{ github.event_name != 'pull_request' }}
         env:
           # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
-          TAGS: ${{ steps.meta.outputs.tags }}
-          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.meta-ui.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push-ui.outputs.digest }}
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
+      - name: Sign the published Ansible Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta-ansible.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push-ansible.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
\ No newline at end of file
diff --git a/ansible/Dockerfile b/ansible/Dockerfile
index 86dbcd0b..bba30aa0 100644
--- a/ansible/Dockerfile
+++ b/ansible/Dockerfile
@@ -29,13 +29,13 @@ RUN mkdir /tmp/terraform /root/.ssh && \
     unzip terraform_1.12.1_linux_arm64.zip && \
     mv terraform /usr/local/bin/
 
-COPY . /simple-stack
+COPY . /ansible
 
-WORKDIR /simple-stack
+WORKDIR /ansible
 
 RUN pip install --break-system-packages -r requirements.txt
 
-WORKDIR /simple-stack/ansible
+WORKDIR /ansible
 
 RUN ansible-galaxy collection install -r requirements.yml -p ./collections
 
diff --git a/requirements.txt b/ansible/requirements.txt
similarity index 100%
rename from requirements.txt
rename to ansible/requirements.txt