pulp
diff --git a/‎.devcontainer/test_config.ini‎
Lines changed: 2 additions & 1 deletion b/‎.devcontainer/test_config.ini‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.dockerignore‎
Lines changed: 41 additions & 4 deletions b/‎.dockerignore‎
Lines changed: 41 additions & 4 deletions
diff --git a/‎.github/workflows/docker-build.yml‎
Lines changed: 139 additions & 0 deletions b/‎.github/workflows/docker-build.yml‎
Lines changed: 139 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 100 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 100 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 18 additions & 2 deletions b/‎Dockerfile‎
Lines changed: 18 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 7 additions & 3 deletions b/‎README.md‎
Lines changed: 7 additions & 3 deletions
@@ -23,7 +23,8 @@ internal_domains=pulp-primary,pulp-secondary
 git_repo_config=https://github.com/example/repo-config.git
 git_repo_config_dir=repo_config
 password=password
-internal_package_prefix=int_
+internal_repo_prefix=int-
+external_repo_prefix=ext-
 package_name_replacement_pattern=
 package_name_replacement_rule=
 remote_tls_validation=true
 
@@ -1,6 +1,43 @@
-demo/assets/keys/gpg/
-demo/assets/certs/
+# Version control
+.git/
+.gitignore
+.github/
+
+# Development environment
+.devcontainer/
 .claude/
-.coverage
 venv/
-__pycache__/
+
+# Tests and coverage
+**/tests/
+**/unit_tests/
+.pytest_cache/
+.coverage
+htmlcov/
+pytest.ini
+
+# Development configs
+pylint.rc
+Makefile
+
+# Documentation
+*.md
+!README.md
+docs/
+
+# Demo files
+demo/
+
+# Python cache
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+.Python
+*.egg-info/
+
+# IDE files
+.vscode/
+.idea/
+*.swp
+.DS_Store
@@ -0,0 +1,139 @@
+name: Build and Push Docker Images
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*.*.*'
+      - '[0-9]+.[0-9]+.[0-9]+'
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+  workflow_call:
+
+env:
+  IMAGE_NAME: pulp-manager
+
+jobs:
+  build-and-push:
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Determine registries to push to
+        id: registries
+        run: |
+          # Always include ghcr.io
+          registries="ghcr.io"
+
+          # Add docker.io and quay.io for release tags
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            registries="ghcr.io docker.io quay.io"
+          fi
+
+          echo "registries=${registries}" >> $GITHUB_OUTPUT
+          echo "Will push to: ${registries}"
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to Docker Hub
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_BOT_USERNAME }}
+          password: ${{ secrets.DOCKER_BOT_PASSWORD }}
+
+      - name: Log in to Quay.io
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_BOT_USERNAME }}
+          password: ${{ secrets.QUAY_BOT_PASSWORD }}
+
+      - name: Determine tags
+        id: tags
+        run: |
+          tags=""
+
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            # Release tag (e.g., v1.2.3)
+            version="${{ github.ref_name }}"
+            version="${version#v}"  # Remove 'v' prefix
+            major=$(echo $version | cut -d. -f1)
+            minor=$(echo $version | cut -d. -f1-2)
+            tags="${version} ${minor} ${major} latest"
+          elif [ "${{ github.ref_name }}" == "main" ]; then
+            # Main branch
+            tags="main latest"
+          elif [ "${{ github.event_name }}" == "pull_request" ]; then
+            # PR
+            tags="pr-${{ github.event.pull_request.number }}"
+          else
+            # Other branches
+            tags="${{ github.ref_name }}"
+          fi
+
+          # Add SHA tag for traceability
+          sha_short=$(echo ${{ github.sha }} | cut -c1-7)
+          tags="${tags} sha-${sha_short}"
+
+          echo "tags=${tags}" >> $GITHUB_OUTPUT
+          echo "Will use tags: ${tags}"
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false
+          load: true
+          tags: pulp/${{ env.IMAGE_NAME }}:ci
+          labels: |
+            org.opencontainers.image.title=Pulp Manager
+            org.opencontainers.image.description=FastAPI-based orchestration and management for multiple Pulp 3 servers
+            org.opencontainers.image.vendor=Pulp
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: linux/amd64
+
+      - name: Push to registries
+        run: |
+          for registry in ${{ steps.registries.outputs.registries }}; do
+            echo "Pushing to ${registry}..."
+            for tag in ${{ steps.tags.outputs.tags }}; do
+              echo "  Tagging and pushing ${registry}/pulp/${{ env.IMAGE_NAME }}:${tag}"
+              docker tag pulp/${{ env.IMAGE_NAME }}:ci ${registry}/pulp/${{ env.IMAGE_NAME }}:${tag}
+              docker push ${registry}/pulp/${{ env.IMAGE_NAME }}:${tag}
+            done
+          done
+
+      - name: Generate artifact attestation
+        if: github.event_name != 'pull_request'
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/pulp/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ hashFiles('Dockerfile') }}
+          push-to-registry: true
@@ -0,0 +1,100 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+      - '[0-9]+.[0-9]+.[0-9]+'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to release'
+        required: true
+        type: string
+
+jobs:
+  build-docker:
+    name: Build Docker Image
+    uses: ./.github/workflows/docker-build.yml
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    secrets: inherit
+
+  create-release:
+    name: Create GitHub Release
+    runs-on: ubuntu-latest
+    needs: build-docker
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get version from tag
+        id: get_version
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="${{ inputs.tag }}"
+          else
+            VERSION=${GITHUB_REF#refs/tags/}
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Version: $VERSION"
+
+      - name: Generate changelog
+        id: changelog
+        run: |
+          # Get the previous tag
+          PREV_TAG=$(git tag --sort=-v:refname | grep -E '^v?[0-9]+\.[0-9]+\.[0-9]+$' | sed -n '2p')
+
+          if [ -z "$PREV_TAG" ]; then
+            echo "No previous tag found, using all commits"
+            PREV_TAG=$(git rev-list --max-parents=0 HEAD)
+          fi
+
+          echo "## What's Changed" > changelog.md
+          echo "" >> changelog.md
+
+          # Generate commit log
+          git log ${PREV_TAG}..HEAD --pretty=format:"* %s (%h)" --no-merges >> changelog.md
+
+          echo "" >> changelog.md
+          echo "" >> changelog.md
+          echo "**Full Changelog**: https://github.com/${{ github.repository }}/compare/${PREV_TAG}...${{ steps.get_version.outputs.version }}" >> changelog.md
+
+          cat changelog.md
+
+      - name: Create Release
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs');
+            const changelog = fs.readFileSync('changelog.md', 'utf8');
+
+            const release = await github.rest.repos.createRelease({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              tag_name: '${{ steps.get_version.outputs.version }}',
+              name: 'Release ${{ steps.get_version.outputs.version }}',
+              body: changelog,
+              draft: false,
+              prerelease: false,
+              make_latest: 'true'
+            });
+
+            console.log(`Created release ${release.data.html_url}`);
+
+            // Add Docker image information to release
+            const dockerImage = `ghcr.io/${{ github.repository }}:${{ steps.get_version.outputs.version }}`;
+            await github.rest.repos.updateRelease({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              release_id: release.data.id,
+              body: changelog + `\n\n## Docker Image\n\n\`\`\`bash\ndocker pull ${dockerImage}\n\`\`\``
+            });
@@ -39,11 +39,27 @@ RUN apt-get update && apt-get install -y netcat-openbsd git make python3-dev lib
 COPY --from=builder /opt/venv /opt/venv
 # Copy requirements file
 COPY --from=builder /pulp_manager/requirements.txt ./
-# Copy the entire project
-COPY . .
+
+# Copy application code
+COPY pulp_manager ./pulp_manager/
+COPY pulp3_bindings ./pulp3_bindings/
+COPY hashi_vault_client ./hashi_vault_client/
+
+# Copy database migration files
+COPY alembic ./alembic/
+COPY alembic.ini ./
+
+# Copy entrypoint script
+COPY pulp-manager.sh ./
+
+# Install default configs to /etc/pulp_manager/
+RUN mkdir -p /etc/pulp_manager
+COPY config-examples/config.ini /etc/pulp_manager/config.ini
+COPY config-examples/pulp_config.yml /etc/pulp_manager/pulp_config.yml
 
 # Ensure correct permissions
 RUN chown -R pulp_manager:pulp_manager /pulp_manager \
+    && chown -R pulp_manager:pulp_manager /etc/pulp_manager \
     && ln -s /pulp_manager/pulp-manager.sh /usr/local/bin/pulp-manager
 
 USER 10001
@@ -237,7 +237,8 @@ git_repo_config_dir=repo_config
 # Optional: Use local filesystem instead of git for repo configs (e.g., demo/dev)
 # local_repo_config_dir=/path/to/local/repo-config
 password=password
-internal_package_prefix=corp_
+internal_repo_prefix=corp-
+external_repo_prefix=ext-
 package_name_replacement_pattern=
 package_name_replacement_rule=
 remote_tls_validation=true
@@ -305,8 +306,11 @@ Settings to apply to all pulp servers
 - `local_repo_config_dir`: Optional local filesystem path to repo config
   directory. If set, scheduled repo registration will read configs from
   this path instead of cloning from `git_repo_config`.
-- `internal_package_prefix`: Prefix for indicating an internal package uploaded
-  directly to Pulp primary (no remote URL).
+- `internal_repo_prefix`: Prefix applied to a repo name when
+  uploaded directly to Pulp primary (no remote URL). Leave blank or
+  omit to retain original name.
+- `external_repo_prefix`: Prefix for applied to a repo name when it
+  has remote URL. Leave blank or omit to retain original name.
 - `package_name_replacement_pattern`: Regex for matching packages to be
   renamed. Use named matching groups for use in the format rule.
 - `package_name_replacement_rule`: The new name pattern assigned to packages