As a collection developer/maintainer
Publishing community collections, and Zuul
Latest developments
People seem to be aware of this, but there is no specific improvement coming up that is known to me.
Original text
The only way to publish community collections (i.e. in the community.* namespace) is by using the ansible.softwarefactory-project.io Zuul instance.
Unfortunately, this Zuul instance is pretty slow, quite often unreliable (pushed tags get ignored; builds fail repeatedly; …), and it is unclear whether this platform is still actively maintained and who can repair it if something is broken. Usually things resolve after some days.
So why not simply ditch it? For most community collections, this would be simple since they don’t use it for anything else than releasing. Unfortunately moving the release process somewhere else is not easy.
The main problem is Ansible Galaxy.
To publish a collection on Galaxy, you need a token. The tokens basically have namespace granularity. So if you have a token that can publish community.foobar, you can also publish any other collection in the community namespace. So obviously the token for the community namespace is very sensitive, and you don’t want that every single maintainer of a community collection has access to it.
If it would be possible to have a token per repository, it would be a lot less risky to set up GitHub Actions to do the releasing. You would still risk that individual community collection maintainers get hold of the token for their collection, but at least they cannot publish any other collection. Then automatically rotating the token regularly again would reduce the risk.
This would require changes in galaxy_ng, the open source project powering Ansible Galaxy. This has already been requested in beginning of 2020 (Jeff Geerling created two related issues about this). Unfortunately, this apparently never got prioritized. (Also using long-term credentials for package publishing is not state of the art anymore.)
Maybe it’s time to change that?
After all, it seems that Galaxy development is still active. Unfortunately there is no active issue tracker - the one of the old Galaxy repository is still used by users, but apparently ignored by developers. (Maybe these issues should be cleaned up and the repository archived? And users pointed to another place where to report things? All the issues about the ansible-galaxy CLI tool are in the wrong repository anyway, but there doesn’t seem to be a hint to the posters that they are.)
And the new repositories (galaxy_ng, galaxy-importer, and no idea where the UI repository is, I always had trouble finding it in the past) don’t have one; the galaxy_ng repository simply links to the Ansible Forum, and galaxy-importer simply links to the Automation Hub Jira (which requires a login). I did try reporting something on the Forum, but never got any feedback from someone from the Galaxy team there.