The Ansible git module always fetches refs/heads/*. It will do this
whether or not a custom refspec is provided.
I would really like to restrict our production AWX to only override commits within a branch (so we can deploy with configuration that has been tested in lower environments)
On that basis I’d like it if we could set refspec to refs/heads/main so that if a commit isn’t on main, it can’t be used.
We could probably do that override in a number of ways, but I’d like it if that was available in AWX somehow
On awx Settings i don’t find any option to “Force” of usage of specific branch for all git projects (and is not much sense block it)
To avoid that someone change scm branch or ref, simply adopt a RBAC on project section and allow the creation of project only via “special” jobtemplate that use an awx user with project admin/creation role.
For all othr user you can leave permisison like project read/update.
Well, you can set branch_override to false easily enough. But that doesn’t solve my problem which is that I do want to allow people to override commit hash, but not use a different branch (so RBAC doesn’t help with that either). Forcing a refspec should suffice, as the commit would need to be an ancestor of the allowed branch (otherwise it wouldn’t be reachable)
In the end I used a modified version of the git module (I placed it inside a collection) and an updated version of project_update.yml
The modified git module allows update: false to change version if the version is available locally (if you’re using a branch or tag this won’t do an update anyway)
The new project_update.yml first uses the updated git module with single_branch set to true for production, and then uses the module with update set to false and with the specified commit reference. If the commit isn’t in the branch, this will fail, but this allows us to use any commit that’s in our production branch. In test, we don’t set single_branch so any branch/commit that’s in the repo should work