* Fix CVE-2026-11332 - prevent role requirements from configuring git (#87070)
* Pass malformed role requirements as positional arguments to prevent arbitrary git configuration
* Add test coverage, checking for specific errors and that git clone is always followed by --
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
(cherry picked from commit edee59aa15)
* Fix ansible-galaxy-role test isolating stderr (#87085)
Follow up to #87070 to fix the test
Fix ansible-galaxy-role test isolating stder
Remove new feature to backport as-is
(cherry picked from commit bebae770d3)
---------
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
PR #87041
PR #87010 bumped the container used in CI for uploading the coverage
measurements to Codecov and its runtime now uses Python 3.13.
The previously set `.azure-pipelines/scripts/dependencies/codecov.txt`
pip constraints used to lock down the transitive dependencies in that
environment were of older versions and `test-results-parser==0.5.4`
caused pip to trigger building this dependency from an sdist due to
the latest platform-specific wheel available for that version being
tagged for Python 3.12.
The new container does not have enough of the build toolchain and the
build fails being unable to find the `cc` linker [[1]].
This patch mass-upgrades the transitive dependencies in said deptree
to newer versions that also ship platform-specific wheels for Python
3.13 and 3.14.
[1]: https://dev.azure.com/ansible/ansible/_build/results?buildId=181432&view=logs&j=d7668ad9-d7bb-5ae4-c14f-5061b89e467d&s=44856301-4c0b-5572-5f50-eb8e385c84fd&t=7f884d87-6a36-516f-9067-af4cf77c020d&l=93
ci_coverage
ci_complete
(cherry picked from commit d25ac06)
* winrm/psrp - apply no_log to stdout/stderr logs
This change censors the raw stdout/stderr logging used on the `winrm`
and `psrp` connection plugins with a verbosity level of 5 being set.
While by default the raw output isn't sensitive if a user has set a task
with `no_log: true` we shouldn't be displaying the raw results of that
task.
* Apply suggestions from code review
---------
(cherry picked from commit 49f1615157)
Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
* Fix apt and dpkg_selections tests
The tests now support aarch64.
They also have reduced dependencies on URLs hosted on third-party servers.
* Skip tests on unsupported platforms
* Use same package version for both tests
* Fix multi-arch support for Ubuntu 22.04
(cherry picked from commit b3d21e3ad2)
This is a fix for a common issue where Ansible is setting the LIB env var to the data type (System.Collections.DictionaryEntry) and not the actual value.
It unfortunately causes downstream issues if you run PowerShell scripts that are affected by the LIB variable not being a search path, but an incorrect string. It causes Add-Type to fail on even the simples call (like `Add-Type "using System;"`
(cherry picked from commit a0b3c7c0d6)
Co-authored-by: Dag Wieers <dag@wieers.com>
sivel / Matt Martz