Replace Zuul with GHA (#60)

.github/CODEOWNERS

@@ -0,0 +1 @@
+*       @ssbarnea

.github/dependabot.yml

@@ -1,6 +1,20 @@
+---
+# Until bug below is sorted we will not allow dependabot to run by itself
+# https://github.com/dependabot/dependabot-core/issues/369
 version: 2
 updates:
   - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: daily
+    labels:
+      - dependabot-deps-updates
+      - skip-changelog
+    versioning-strategy: lockfile-only
+  - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: daily
+    labels:
+      - "dependencies"
+      - "skip-changelog"

.github/release-drafter.yml

@@ -1,18 +1,3 @@
-categories:
-  - title: 'Features'
-    labels:
-      - 'feature'
-      - 'enhancement'
-  - title: 'Bug Fixes'
-    labels:
-      - 'fix'
-      - 'bugfix'
-      - 'bug'
-  - title: 'Maintenance'
-    label: 'chore'
-exclude-labels:
-  - 'skip-changelog'
-template: |
-  ## Changes
-
-  $CHANGES
+---
+# see https://github.com/ansible/devtools
+_extends: ansible/devtools

.github/workflows/ack.yml

@@ -0,0 +1,10 @@
+---
+# See https://github.com/ansible/devtools/blob/main/.github/workflows/ack.yml
+name: ack
+on:
+  pull_request_target:
+    types: [opened, labeled, unlabeled, synchronize]
+
+jobs:
+  ack:
+    uses: ansible/devtools/.github/workflows/ack.yml@main

.github/workflows/push.yml

@@ -0,0 +1,13 @@
+---
+# See https://github.com/ansible/devtools/blob/main/.github/workflows/push.yml
+name: push
+on:
+  push:
+    branches:
+      - main
+      - "releases/**"
+      - "stable/**"
+
+jobs:
+  ack:
+    uses: ansible/devtools/.github/workflows/push.yml@main

.github/workflows/release.yml

@@ -0,0 +1,37 @@
+---
+name: release
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  pypi:
+    name: Publish to PyPI registry
+    environment: release
+    runs-on: ubuntu-22.04
+
+    env:
+      FORCE_COLOR: 1
+      PY_COLORS: 1
+      TOXENV: pkg
+
+    steps:
+      - name: Switch to using Python 3.9 by default
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.9
+      - name: Install tox
+        run: python3 -m pip install --user "tox>=4.0.0"
+      - name: Check out src from Git
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # needed by setuptools-scm
+      - name: Build dists
+        run: python -m tox
+      - name: Publish to pypi.org
+        if: >- # "create" workflows run separately from "push" & "pull_request"
+          github.event_name == 'release'
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          password: ${{ secrets.pypi_password }}

.github/workflows/tox.yml

@@ -0,0 +1,140 @@
+---
+name: tox
+on:
+  create: # is used for publishing to PyPI and TestPyPI
+    tags: # any tag regardless of its name, no branches
+      - "**"
+  push: # only publishes pushes to the main branch to TestPyPI
+    branches: # any integration branch but not tag
+      - "main"
+  pull_request:
+    branches:
+      - "main"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+env:
+  FORCE_COLOR: 1 # tox, pytest, ansible-lint
+  PY_COLORS: 1
+
+jobs:
+  pre:
+    name: pre
+    runs-on: ubuntu-22.04
+    outputs:
+      matrix: ${{ steps.generate_matrix.outputs.matrix }}
+    steps:
+      - name: Determine matrix
+        id: generate_matrix
+        uses: coactions/matrix@main
+        with:
+          min_python: "3.9"
+          other_names: |
+            lint
+            pkg
+            devel
+  build:
+    name: ${{ matrix.name || matrix.passed_name || '?' }}
+    needs: pre
+    runs-on: ${{ matrix.os || 'ubuntu-22.04' }}
+    defaults:
+      run:
+        shell: ${{ matrix.shell || 'bash'}}
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.pre.outputs.matrix) }}
+    env:
+      PYTEST_REQPASS: 1
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # needed by setuptools-scm
+
+      - name: Set caches
+        if: "${{ contains(matrix.passed_name, 'lint') }}"
+        uses: actions/cache@v3
+        with:
+          path: ~/.cache/pre-commit
+          key: ${{ matrix.name || matrix.passed_name }}-${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - name: Set up Python ${{ matrix.python_version || '3.9' }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python_version || '3.9' }}
+
+      - name: Install tox
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install --upgrade "tox>=4.0.8"
+
+      - name: Log installed dists
+        run: python3 -m pip freeze --all
+
+      - name: Initialize tox envs ${{ matrix.passed_env }}
+        run: python3 -m tox --notest --skip-missing-interpreters false -vv -e ${{ matrix.passed_name }}
+        timeout-minutes: 5 # average is under 1, but macos can be over 3
+
+      # sequential run improves browsing experience (almost no speed impact)
+      - name: tox -e ${{ matrix.passed_name }}
+        run: python3 -m tox -e ${{ matrix.passed_name }}
+
+      - name: Combine coverage data
+        if: ${{ startsWith(matrix.passed_name, 'py') }}
+        # produce a single .coverage file at repo root
+        run: tox -e coverage
+
+      - name: Upload coverage data
+        if: ${{ startsWith(matrix.passed_name, 'py') }}
+        uses: codecov/codecov-action@v3
+        with:
+          name: ${{ matrix.passed_name }}
+          fail_ci_if_error: false # see https://github.com/codecov/codecov-action/issues/598
+          token: ${{ secrets.CODECOV_TOKEN }}
+          verbose: true # optional (default = false)
+
+      - name: Archive logs
+        uses: actions/upload-artifact@v3
+        with:
+          name: logs.zip
+          path: .tox/**/log/
+        # https://github.com/actions/upload-artifact/issues/123
+        continue-on-error: true
+
+      - name: Report failure if git reports dirty status
+        run: |
+          if [[ -n $(git status -s) ]]; then
+            # shellcheck disable=SC2016
+            echo -n '::error file=git-status::'
+            printf '### Failed as git reported modified and/or untracked files\n```\n%s\n```\n' "$(git status -s)" | tee -a "$GITHUB_STEP_SUMMARY"
+            exit 99
+          fi
+        # https://github.com/actions/toolkit/issues/193
+
+  check: # This job does nothing and is only used for the branch protection
+    if: always()
+    permissions:
+      pull-requests: write # allow codenotify to comment on pull-request
+
+    needs:
+      - build
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Decide whether the needed jobs succeeded or failed
+        uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}
+
+      - name: Check out src from Git
+        uses: actions/checkout@v3
+
+      - name: Notify repository owners about lint change affecting them
+        uses: sourcegraph/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        # https://github.com/sourcegraph/codenotify/issues/19
+        continue-on-error: true

.pre-commit-config.yaml

@@ -24,10 +24,6 @@ repos:
     rev: v0.991
     hooks:
       - id: mypy
-  - repo: https://github.com/ansible/ansible-lint
-    rev: v6.10.0
-    hooks:
-      - id: ansible-lint
   - repo: https://github.com/openstack-dev/bashate.git
     rev: 2.1.1
     hooks:

README.rst

@@ -1,6 +1,3 @@
-.. image:: https://zuul-ci.org/gated.svg
-    :target: https://dashboard.zuul.ansible.com/t/ansible/builds?project=pycontribs/selinux
-
 .. image:: https://img.shields.io/badge/code%20style-black-000000.svg
    :target: https://github.com/python/black
    :alt: Python Black Code Style
@@ -18,15 +15,6 @@ to import it from inside isolated (default) virtualenvs.
 This package was also tested as installed outside virtualenvs and seems not
 to interfere with the original library.
 
-So far testing is done on:
-
-* CentOS 7
-* CentOS 8
-* Debian (latest)
-* Fedora 28
-* RHEL 8
-* Ubuntu (latest)
-
 The change-list can be accessed at `releases`__.
 
 __ https://github.com/pycontribs/selinux/releases

ansible.cfg

@@ -1,6 +1,5 @@
 [defaults]
 retry_files_enabled = False
-callback_whitelist = timer,profile_tasks,profile_roles
 
 host_key_checking = False
 forks = 500

setup.cfg

@@ -10,7 +10,6 @@ url = https://github.com/pycontribs/selinux
 project_urls =
     Bug Tracker = https://github.com/pycontribs/selinux/issues
     Release Management = https://github.com/pycontribs/selinux/releases
-    CI = https://dashboard.zuul.ansible.com/t/ansible/builds?project=pycontribs/selinux
     Source Code = https://github.com/pycontribs/selinux
 description = shim selinux module
 long_description = file: README.rst

tests/roles/ensure_ansible/meta/main.yml

@@ -1,5 +1,6 @@
 ---
 galaxy_info:
+  namespace: acme
   author: Sorin Sbarnea
   description: Role that bootstrap host to be managed via Ansible
   license: MIT

tests/roles/ensure_ansible/molecule/default/playbook.yml

@@ -33,7 +33,7 @@
 
     - name: Run ensure_ansible role
       ansible.builtin.import_role:
-        name: ensure_ansible
+        name: acme.ensure_ansible
 
     - name: Create a directory if it does not exist
       ansible.builtin.file: