* fixes for CVE-2024-8775
* propagate truthy `_ansible_no_log` in action result (previously superseded by task-calculated value)
* always mask entire `include_vars` action result if any file loaded had a false `show_content` flag (previously used only the flag value from the last file loaded)
* update no_log tests for CVE-2024-8775
* include validation of _ansible_no_log preservation when set by actions
* replace static values with dynamic for increased robustness to logging/display/callback changes (but still using grep counts :( )
* changelog
* use ternary, coerce to bool explicitly
(cherry picked from commit c9ac477e53)
* Fix broken, circumvented test for missing vault ids
* verify the command returns a non-zero exit code
Co-authored-by: Matt Clay <matt@mystile.com>
(cherry picked from commit fe7e68bfcb)
* user module avoid conflicts ssh pub key (#84165)
Remove pub key if we are going to generate private
fix tests for os X
(cherry picked from commit 11e4a6a722)
* old python, no f''
* Restore test import missing from backport
---------
Co-authored-by: Matt Clay <matt@mystile.com>
The shell command sometimes prints a trailing whitespace which breaks
the tests on old RHELs. This patch is supposed to fix that.
(cherry picked from commit cd74c4bcd5)
* [stable-2.15] release.py - Auto-update setuptools upper bound (#83713)
When releases are prepared, the upper bound on setuptools in pyproject.toml will be automatically updated
to the latest version available on PyPI. This version will then be tested by the package-data sanity test
during the release process and will be used to build the release.
This change ensures that a released version of ansible-core can be built in the future if a new setuptools
release includes breaking changes that would prevent building a functional package. If a downstream package
maintainer requires a newer setuptools version than the upper bound permits, they can patch pyproject.toml
as needed. Since ansible-core releases support specific Python versions, lack of support for new setuptools
releases will have no effect on support for future Python versions.
(cherry picked from commit 4e69d83fac)
Co-authored-by: Matt Clay <matt@mystile.com>
* release.py - Add missing setuptools arg to prepare (#83887)
* release.py - Add missing setuptools arg to prepare
This allows the prepare command to accept the `--no-setuptools` argument.
It also fixes a traceback when using the `prepare` command.
* Use a more accurate type hint
(cherry picked from commit b544ac13ec)
* release.py - Include pyproject.toml in git add (#83892)
(cherry picked from commit e3ccdaaa2e)
* Quality-of-life improvements for release tool
- Default devel releases to b1
- Default non-devel releases to rc1
- Default to release announcement to console
- Avoid auto-links in GH release annoucements for file sizes
(cherry picked from commit 20a815b03f)
The nightly copr repo for Fedora 37 is no longer available
and python3-libdnf5 is not present in the official Fedora 37 repository,
try and use Fedora 38 repo for installing python3-libdnf5 instead.
* Add version ceiling for pypsrp
Add a version ceiling for the pypsrp requirements. This ensures that the
future v1.0.0 release won't impact existing users who install the
library using the version range specified.
* Use constraints file
* Add changelog for this change
(cherry picked from commit 2ed6c30929)
* Fix installing roles containing symlinks
Fix sanitizing tarfile symlinks relative to the link directory instead of the archive
For example:
role
├── handlers
│ └── utils.yml -> ../tasks/utils/suite.yml
The link ../tasks/utils/suite.yml will resolve to a path outside of the link's directory, but within the role
role/handlers/../tasks/utils/suite.yml
the resolved path relative to the role is tasks/utils/suite.yml, but if the symlink is set to that value, tarfile would extract it from role/handlers/tasks/utils/suite.yml
* Replace overly forgiving test case with tests for a symlink in a subdirectory of the archive and a symlink in the archive dir when these are not equivalent.
* Build test case from role files to make it easier to add test cases
Fixes#82702Fixes#81965Fixes#82051
(cherry picked from commit e84240db84)
The latest setuptools package uses a normalized package name for the sdist.
(cherry picked from commit 8bc0d809a6)
Co-authored-by: Matt Clay <matt@mystile.com>
Until ansible-core 2.12 the facts cache file created by this module, have permission set as 644 which allows the other users to read the cache, since ansible-core 2.13, we create the temporary file, but we do not set the permission after renaming the temporary file. Adding the line to set the permission to allow other users/groups to read this file.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Co-authored-by: Rudnei Bertol Junior <rudnei@redhat.com>
When using winrm over HTTP with message encryption enabled and a task
has timed out the connection plugin will fail to cleanup the WinRM
command. This will change that exception into a warning as a timeout is
already an exception event and a failure to clean the operation should
not override the timeout error shown.
(cherry picked from commit 8aecd1f9b2)
* dnf5: replace removed API calls (#83020)
* dnf5: replace removed API calls
bfb6f32e1596c9188f9c
* call set_group_with_name instead of setting group_with_name
c7b88428f3
---------
Co-authored-by: Matt Martz <matt@sivel.net>
(cherry picked from commit 4e57249d59)
* Fallbacks for brand new APIs that don't exist in released dnf5 (#83022)
(cherry picked from commit 57750e2cf7)
---------
Co-authored-by: Matt Martz <matt@sivel.net>
allow_duplicates is not part of the role uniqueness, so the value on the cached role may not match the current role.
* remove the allow_duplicates check from Role.has_run() which operates on the deduplicated role
* check the current role's allow_duplicates value in the strategy
(cherry picked from commit b3d8cdde5d)
Co-authored-by: Martin Krizek <martin.krizek@gmail.com>
If the connection plugin fails to write the data to run to stdin we will
only attempt to get the output with one operation attempt. If this times
out we will consider the command to have failed and raise an exception
instead of forever attempting to get the output.
(cherry picked from commit 942424e10b)
Matt Clay