Some of you might already noticed that CI for some collections started failing since last week Monday. This is due to a breaking change fixing a security issue (CVE-2023-5764):
- Ensure that unsafe is more difficult to lose [stable-2.16] (#82293) · ansible/ansible@270b39f · GitHub
- Ensure that unsafe is more difficult to lose [stable-2.16] (#82293) · ansible/ansible@270b39f · GitHub
- Ensure that unsafe is more difficult to lose [stable-2.14] (#82295) · ansible/ansible@7239d2d · GitHub
More information can be found in the porting guides:
- Ansible-core 2.16 Porting Guide — Ansible Core Documentation
- Ansible-core 2.15 Porting Guide — Ansible Core Documentation
- Ansible-core 2.14 Porting Guide — Ansible Core Documentation
In collection tests this often affets ansible.builtin.assert tasks which use templating. Here are some examples that fixes such conditions. Most are straightfoward to fix:
- name: assert container is returned when filters are matched (single label)
assert:
- that: "{{ output.containers | length }} == 1"
+ that: "output.containers | length == 1"
- assert:
that:
- 'alternative is changed'
- - 'cmd.stdout == "dummy{{ item }}"'
+ - 'cmd.stdout == "dummy" ~ item'
- assert:
that:
- result_basic_2 is not changed
- result_basic_2 is failed
- - result_basic_2.msg == "Destination {{ non_existing_file }} does not exist!"
+ - result_basic_2.msg == "Destination " ~ non_existing_file ~ " does not exist!"
The most complicated I found was the cmd_runner integration tests in community.general where the tests themselves including the conditions came from a variable. There it was easiest to use a copy of the assert module which loses the unsafe marker: Fix and re-enable cmd_runner tests by felixfontein · Pull Request #7630 · ansible-collections/community.general · GitHub. Please avoid such solution when possible, and simply fix the conditions to avoid using templating to compose the conditions.