feat(x2a): Publish Phase implemented on backend and UI (#2420)

* publish in k8s job - draft

* Publish Job works; second module appeneded

* Working Publish flow, SSL disable option

* default ssl verify true

* Tidying up skipSSLVerify variable defaults

Author: elai-shalev

workspaces/x2a/app-config.yaml

@@ -172,7 +172,8 @@ x2a:
       url: ${AAP_URL:-https://aap.example.com}
       orgName: ${AAP_ORG_NAME:-MyOrganization}
       # Option 1: OAuth token
-      oauthToken: ${AAP_OAUTH_TOKEN:-your-oauth-token}
+      # oauthToken: ${AAP_OAUTH_TOKEN:-your-oauth-token}
       # Option 2: Username and password
-      # username: ${AAP_USERNAME}
-      # password: ${AAP_PASSWORD}
+      username: ${AAP_USERNAME}
+      password: ${AAP_PASSWORD}
+      # skipSSLVerification: false   # Set to true for dev/test environments with self-signed certs

workspaces/x2a/plugins/x2a-backend/config.d.ts

@@ -50,6 +50,7 @@ export interface X2AConfig {
       oauthToken?: string;
       username?: string;
       password?: string;
+      skipSSLVerification?: boolean;
     };
   };
 }
@@ -217,6 +218,13 @@ export interface Config {
          * Password for AAP authentication (alternative to oauthToken)
          */
         password?: string;
+        /**
+         * Whether to skip SSL certificate verification when connecting to AAP.
+         * Set to true for dev/test environments with self-signed certs.
+         * Defaults to false (SSL is verified).
+         * @visibility backend
+         */
+        skipSSLVerification?: boolean;
       };
     };
   };

workspaces/x2a/plugins/x2a-backend/src/router/collectArtifacts.ts

@@ -51,6 +51,7 @@ const artifactSchema = z.object({
     'module_migration_plan',
     'migrated_sources',
     'project_metadata',
+    'ansible_project',
   ]),
   value: z.string(),
 });

workspaces/x2a/plugins/x2a-backend/src/schema/openapi.yaml

@@ -682,6 +682,7 @@ components:
         - module_migration_plan
         - migrated_sources
         - project_metadata
+        - ansible_project
 
     Artifact:
       type: object

workspaces/x2a/plugins/x2a-backend/src/schema/openapi/generated/models/ArtifactType.model.ts

@@ -25,4 +25,5 @@ export type ArtifactType =
   | 'migration_plan'
   | 'module_migration_plan'
   | 'migrated_sources'
-  | 'project_metadata';
+  | 'project_metadata'
+  | 'ansible_project';

workspaces/x2a/plugins/x2a-backend/src/schema/openapi/generated/router.ts

@@ -960,7 +960,8 @@ export const spec = {
           "migration_plan",
           "module_migration_plan",
           "migrated_sources",
-          "project_metadata"
+          "project_metadata",
+          "ansible_project"
         ]
       },
       "Artifact": {

workspaces/x2a/plugins/x2a-backend/src/services/JobResourceBuilder.test.ts

@@ -125,6 +125,7 @@ describe('JobResourceBuilder', () => {
           AAP_CONTROLLER_URL: 'https://aap.example.com',
           AAP_ORG_NAME: 'TestOrg',
           AAP_OAUTH_TOKEN: 'test-oauth-token',
+          AAP_VERIFY_SSL: 'true',
         });
         expect(secret.stringData!.AAP_USERNAME).toBeUndefined();
         expect(secret.stringData!.AAP_PASSWORD).toBeUndefined();
@@ -188,6 +189,29 @@ describe('JobResourceBuilder', () => {
         });
       });
 
+      it('should set AAP_VERIFY_SSL to false when skipSSLVerification is true', () => {
+        mockConfig.credentials.aap!.skipSSLVerification = true;
+
+        const secret = JobResourceBuilder.buildProjectSecret(
+          projectId,
+          undefined,
+          mockConfig,
+        );
+
+        expect(secret.stringData!.AAP_VERIFY_SSL).toBe('false');
+      });
+
+      it('should default AAP_VERIFY_SSL to true when skipSSLVerification is not set', () => {
+        // skipSSLVerification is not set in default mockConfig
+        const secret = JobResourceBuilder.buildProjectSecret(
+          projectId,
+          undefined,
+          mockConfig,
+        );
+
+        expect(secret.stringData!.AAP_VERIFY_SSL).toBe('true');
+      });
+
       it('should throw error when no AAP credentials provided', () => {
         mockConfig.credentials.aap = undefined;
 

workspaces/x2a/plugins/x2a-backend/src/services/JobResourceBuilder.ts

@@ -93,6 +93,9 @@ export class JobResourceBuilder {
       aapEnvVars.AAP_PASSWORD = password!;
     }
 
+    // Resolve SSL verification: skip=false by default (SSL is verified)
+    const skipSSL = config.credentials.aap?.skipSSLVerification ?? false;
+
     return {
       apiVersion: 'v1',
       kind: 'Secret',
@@ -124,6 +127,9 @@ export class JobResourceBuilder {
 
         // AAP credentials (from config or user override)
         ...aapEnvVars,
+
+        // AAP SSL verification setting (derived from skipSSLVerification config)
+        AAP_VERIFY_SSL: String(!skipSSL),
       },
     };
   }

workspaces/x2a/plugins/x2a-backend/templates/x2a-job-script.sh

@@ -365,6 +365,59 @@ case "${PHASE}" in
     ARTIFACTS+=("migrated_sources:${PROJECT_DIR}/modules/${MODULE_NAME}/ansible")
     ;;
 
+  publish)
+    echo "=== Running x2a publish phase ==="
+    MODULE_NAME_SANITIZED=$(echo "${MODULE_NAME}" | tr ' ' '_')
+    ROLE_NAME=$(echo "${MODULE_NAME}" | tr ' -' '__')
+    OUTPUT_DIR="${PROJECT_PATH}/modules/${MODULE_NAME}"
+
+    # Verify migrate phase output exists
+    if [ ! -d "${OUTPUT_DIR}/ansible/roles/${ROLE_NAME}" ]; then
+      ERROR_MESSAGE="Migrated role not found at ${OUTPUT_DIR}/ansible/roles/${ROLE_NAME} - migrate phase must complete first"
+      exit 1
+    fi
+
+    # Check if x2a tool is available (required)
+    if [ ! -d /app ] || [ ! -f /app/app.py ]; then
+      ERROR_MESSAGE="/app/app.py not found - x2a tool is required"
+      exit 1
+    fi
+
+    # Step 1: publish-project — assemble Ansible project from migrated role
+    echo "=== Step 1: Assembling Ansible project ==="
+    echo "Command: uv run app.py publish-project ${PROJECT_DIR} ${MODULE_NAME}"
+
+    # publish-project reads from {project_id}/modules/{module_name}/ansible/roles/{module_name}/
+    # and writes to {project_id}/ansible-project/
+    # It operates relative to CWD, so we run from TARGET_BASE
+    pushd "${TARGET_BASE}"
+    uv run --project /app /app/app.py publish-project "${PROJECT_DIR}" "${MODULE_NAME}"
+    popd
+
+    # Verify ansible-project was created
+    ANSIBLE_PROJECT_DIR="${PROJECT_PATH}/ansible-project"
+    if [ ! -d "${ANSIBLE_PROJECT_DIR}" ]; then
+      ERROR_MESSAGE="ansible-project directory not created by publish-project"
+      exit 1
+    fi
+
+    echo ""
+    echo "=== Ansible project contents ==="
+    find "${ANSIBLE_PROJECT_DIR}" -type f | head -50
+
+    # Step 2: publish-aap — register with AAP and sync
+    echo ""
+    echo "=== Step 2: Publishing to AAP ==="
+    echo "Command: uv run app.py publish-aap --target-repo ${TARGET_REPO_URL} --target-branch ${TARGET_REPO_BRANCH} --project-id ${PROJECT_DIR}"
+    cd /app
+    uv run app.py publish-aap \
+      --target-repo "${TARGET_REPO_URL}" \
+      --target-branch "${TARGET_REPO_BRANCH}" \
+      --project-id "${PROJECT_DIR}"
+
+    ARTIFACTS+=("ansible_project:${PROJECT_DIR}/ansible-project")
+    ;;
+
   *)
     ERROR_MESSAGE="Unknown phase: ${PHASE}"
     exit 1

workspaces/x2a/plugins/x2a-common/client/src/schema/openapi/generated/models/ArtifactType.model.ts

@@ -25,4 +25,5 @@ export type ArtifactType =
   | 'migration_plan'
   | 'module_migration_plan'
   | 'migrated_sources'
-  | 'project_metadata';
+  | 'project_metadata'
+  | 'ansible_project';