Jose/ansible_role_proxmox_provision
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat : NAG checksum-based detection (auto-repatch after upgrades) #1

Merged
Jose merged 3 commits from dev into main 2026-02-07 18:42:43 +01:00
Conversation 1 Commits 3 Files Changed 1 +63 -2
Jose commented 2026-02-07 18:37:42 +01:00
Owner
Copy Link

Updated the task to utilize ansible.builtin.slurp instead of the deprecated slurp module for improved compatibility with newer Ansible versions.

Updated the task to utilize `ansible.builtin.slurp` instead of the deprecated `slurp` module for improved compatibility with newer Ansible versions.
Jose added 3 commits 2026-02-07 18:37:42 +01:00
feat : Add task to ensure nag patch state directory exists and manage checksums for legacy and minified proxmoxlib.js files
Some checks failed
ansible-lint / Ansible Lint (push) Failing after 6s
Details
Gitleaks Scan / gitleaks (push) Successful in 4s
Details
Markdown Lint / markdown-lint (push) Successful in 6s
Details
7907e71a5e 
This commit introduces a new feature that ensures the existence of a nag patch state directory. It also reads and stores checksums for both legacy and minified proxmoxlib.js files, applying patches only when necessary.

No blind replaces
No silent failures
Upgrade-safe
Self-healing
Predictable failure mode
style 💎: Fix indentation and logic in subscription.yml tasks
Some checks failed
ansible-lint / Ansible Lint (push) Failing after 11s
Details
Gitleaks Scan / gitleaks (push) Successful in 5s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details
4d73c5a844 
Refactored the indentation and corrected logical errors in the tasks section of subscription.yml to improve readability and functionality.
refactor ♻️: Refactor task to use ansible.builtin.slurp for compatibility
All checks were successful
ansible-lint / Ansible Lint (push) Successful in 11s
Details
Gitleaks Scan / gitleaks (push) Successful in 4s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details
ai-reviews / Review PR (pull_request) Successful in 19s
Details
ansible-lint / Ansible Lint (pull_request) Successful in 11s
Details
Gitleaks Scan / gitleaks (pull_request) Successful in 4s
Details
Markdown Lint / markdown-lint (pull_request) Successful in 5s
Details
e0831c473e 
Updated the task to utilize `ansible.builtin.slurp` instead of the deprecated `slurp` module for improved compatibility with newer Ansible versions.
gitea-actions bot reviewed 2026-02-07 18:38:01 +01:00
gitea-actions bot left a comment
Copy Link

Review Summary

  • tasks/subscription.yml: Summary: This code snippet adds support for storing and checking checksums of both the regular proxmoxlib.js and minified proxmoxlib.min.js files, and updates the subscription task to use these stored checksums when necessary. The changes improve maintainability, security, and performance. LGTM (with the noted improvements in logic, security, performance, and maintainability)
# Review Summary * **tasks/subscription.yml**: **Summary:** This code snippet adds support for storing and checking checksums of both the regular `proxmoxlib.js` and minified `proxmoxlib.min.js` files, and updates the subscription task to use these stored checksums when necessary. The changes improve maintainability, security, and performance. **LGTM (with the noted improvements in logic, security, performance, and maintainability)**
tasks/subscription.yml
@@ -2,0 +15,4 @@
src: /var/lib/proxmox-nag-patch/proxmoxlib.js.sha256
register: proxmoxlib_js_checksum_stored
when: proxmoxlib_js.stat.exists
failed_when: false
gitea-actions bot commented 2026-02-07 18:38:01 +01:00
Copy Link

[Lines 13-18] [Score: 2] The script is now reading the stored checksum for the legacy proxmoxlib.js file, which ensures that any updates to the checksum are tracked and makes it easier to verify the integrity of the file.

[Lines 13-18] [Score: 2] The script is now reading the stored checksum for the legacy `proxmoxlib.js` file, which ensures that any updates to the checksum are tracked and makes it easier to verify the integrity of the file.
tasks/subscription.yml
@@ -13,3 +35,4 @@
!= (proxmoxlib_js_checksum_stored.content | b64decode | trim))
register: patch_legacy
failed_when:
- proxmoxlib_js.stat.exists
gitea-actions bot commented 2026-02-07 18:38:01 +01:00
Copy Link

[Lines 27-38] [Score: 2] The script now checks for and handles the presence of proxmoxlib.min.js, which is used in newer versions of Proxmox VE (VE 8/9). This ensures compatibility with different versions of the software.

[Lines 27-38] [Score: 2] The script now checks for and handles the presence of `proxmoxlib.min.js`, which is used in newer versions of Proxmox VE (VE 8/9). This ensures compatibility with different versions of the software.
tasks/subscription.yml
@@ -19,0 +50,4 @@
- proxmoxlib_js.stat.exists
- patch_legacy is changed
############################
gitea-actions bot commented 2026-02-07 18:38:01 +01:00
Copy Link

[Lines 42-53] [Score: 2] The script now stores patched checksums for both the legacy and minified files, which ensures that any updates to the checksums are tracked and makes it easier to verify the integrity of the files. This improves security and maintainability.

[Lines 42-53] [Score: 2] The script now stores patched checksums for both the legacy and minified files, which ensures that any updates to the checksums are tracked and makes it easier to verify the integrity of the files. This improves security and maintainability.
tasks/subscription.yml
@@ -35,0 +92,4 @@
content: "{{ proxmoxlib_min_js.stat.checksum }}\n"
when:
- proxmoxlib_min_js.stat.exists
- patch_minified is changed
gitea-actions bot commented 2026-02-07 18:38:01 +01:00
Copy Link

[Lines 31-95] [Score: 3] The when and failed_when conditions have been modified to properly handle the presence of both the legacy and minified files, as well as the stored checksums. This improves maintainability by keeping the conditions concise and easier to understand. However, it could be argued that the conditions are now more complex than before.

[Lines 31-95] [Score: 3] The `when` and `failed_when` conditions have been modified to properly handle the presence of both the legacy and minified files, as well as the stored checksums. This improves maintainability by keeping the conditions concise and easier to understand. However, it could be argued that the conditions are now more complex than before.
Jose changed title from refactor ♻️: Refactor task to use ansible.builtin.slurp for compatibility to feat : NAG checksum-based detection (auto-repatch after upgrades) 2026-02-07 18:41:48 +01:00
Jose merged commit 85ce6e0044 into main 2026-02-07 18:42:43 +01:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Documentation
bug
Something is not working
 ci-failed
action test workflow failed
 ci-pass
action test workflow pass
 duplicate
This issue or pull request already exists
 enhancement
New feature
 help wanted
Need some help
 invalid
Something is wrong
 question
More information is needed
 source
wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Jose
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Jose/ansible_role_proxmox_provision#1
Delete Branch "dev"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?