From 6d06996ca2a7c1c710bbe5002232c51bbfc0e85f Mon Sep 17 00:00:00 2001
From: Matt Clay <matt@mystile.com>
Date: Tue, 29 Oct 2024 11:53:55 -0700
Subject: [PATCH] New release v2.16.13rc1 (#84195)

---
 changelogs/CHANGELOG-v2.16.rst               | 29 ++++++++++++++++
 changelogs/changelog.yaml                    | 36 ++++++++++++++++++++
 changelogs/fragments/2.16.13rc1_summary.yaml |  3 ++
 lib/ansible/release.py                       |  2 +-
 pyproject.toml                               |  2 +-
 5 files changed, 70 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/fragments/2.16.13rc1_summary.yaml

diff --git a/changelogs/CHANGELOG-v2.16.rst b/changelogs/CHANGELOG-v2.16.rst
index c0f1d30d12a..dc4d0309f46 100644
--- a/changelogs/CHANGELOG-v2.16.rst
+++ b/changelogs/CHANGELOG-v2.16.rst
@@ -5,6 +5,35 @@ ansible-core 2.16 "All My Love" Release Notes
 .. contents:: Topics
 
 
+v2.16.13rc1
+===========
+
+Release Summary
+---------------
+
+| Release Date: 2024-10-29
+| `Porting Guide <https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html>`__
+
+
+Minor Changes
+-------------
+
+- ansible-test - Improve container runtime probe error handling. When unexpected probe output is encountered, an error with more useful debugging information is provided.
+
+Security Fixes
+--------------
+
+- include_vars action - Ensure that result masking is correctly requested when vault-encrypted files are read. (CVE-2024-8775)
+- task result processing - Ensure that action-sourced result masking (``_ansible_no_log=True``) is preserved. (CVE-2024-8775)
+- user action won't allow ssh-keygen, chown and chmod to run on existing ssh public key file, avoiding traversal on existing symlinks (CVE-2024-9902).
+
+Bugfixes
+--------
+
+- Improve performance on large inventories by reducing the number of implicit meta tasks.
+- ansible-test - Enable the ``sys.unraisablehook`` work-around for the ``pylint`` sanity test on Python 3.11. Previously the work-around was only enabled for Python 3.12 and later. However, the same issue has been discovered on Python 3.11.
+- user action will now require O(force) to overwrite the public part of an ssh key when generating ssh keys, as was already the case for the private part.
+
 v2.16.12
 ========
 
diff --git a/changelogs/changelog.yaml b/changelogs/changelog.yaml
index e7feaeab9f0..6e76270feb3 100644
--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@@ -906,6 +906,42 @@ releases:
     - 83960-dnf5-state-installed-fix.yml
     - ansible-galaxy-install-help.yml
     release_date: '2024-09-30'
+  2.16.13rc1:
+    changes:
+      bugfixes:
+      - Improve performance on large inventories by reducing the number of implicit
+        meta tasks.
+      - ansible-test - Enable the ``sys.unraisablehook`` work-around for the ``pylint``
+        sanity test on Python 3.11. Previously the work-around was only enabled for
+        Python 3.12 and later. However, the same issue has been discovered on Python
+        3.11.
+      - user action will now require O(force) to overwrite the public part of an ssh
+        key when generating ssh keys, as was already the case for the private part.
+      minor_changes:
+      - ansible-test - Improve container runtime probe error handling. When unexpected
+        probe output is encountered, an error with more useful debugging information
+        is provided.
+      release_summary: '| Release Date: 2024-10-29
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html>`__
+
+        '
+      security_fixes:
+      - include_vars action - Ensure that result masking is correctly requested when
+        vault-encrypted files are read. (CVE-2024-8775)
+      - task result processing - Ensure that action-sourced result masking (``_ansible_no_log=True``)
+        is preserved. (CVE-2024-8775)
+      - user action won't allow ssh-keygen, chown and chmod to run on existing ssh
+        public key file, avoiding traversal on existing symlinks (CVE-2024-9902).
+    codename: All My Love
+    fragments:
+    - 2.16.13rc1_summary.yaml
+    - ansible-test-probe-error-handling.yml
+    - ansible-test-pylint-fix.yml
+    - cve-2024-8775.yml
+    - skip-implicit-flush_handlers-no-notify.yml
+    - user_ssh_fix.yml
+    release_date: '2024-10-29'
   2.16.1rc1:
     changes:
       breaking_changes:
diff --git a/changelogs/fragments/2.16.13rc1_summary.yaml b/changelogs/fragments/2.16.13rc1_summary.yaml
new file mode 100644
index 00000000000..48488fc04cc
--- /dev/null
+++ b/changelogs/fragments/2.16.13rc1_summary.yaml
@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2024-10-29
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html>`__
diff --git a/lib/ansible/release.py b/lib/ansible/release.py
index ad27e2315f0..a5d59afa661 100644
--- a/lib/ansible/release.py
+++ b/lib/ansible/release.py
@@ -19,6 +19,6 @@
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 
-__version__ = '2.16.12.post0'
+__version__ = '2.16.13rc1'
 __author__ = 'Ansible, Inc.'
 __codename__ = "All My Love"
diff --git a/pyproject.toml b/pyproject.toml
index 2338997faa2..e9bbf9eace5 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,3 +1,3 @@
 [build-system]
-requires = ["setuptools >= 66.1.0, <= 75.1.0"]  # lower bound to support controller Python versions, upper bound for latest version tested at release
+requires = ["setuptools >= 66.1.0, <= 75.3.0"]  # lower bound to support controller Python versions, upper bound for latest version tested at release
 build-backend = "setuptools.build_meta"