all: children: zuul_unreachable: hosts: {} hosts: controller: ansible_connection: ssh ansible_host: 162.253.55.209 ansible_port: 22 ansible_python_interpreter: auto ansible_user: zuul nodepool: az: nova cloud: ansible-vexxhost external_id: 7a610ea6-185b-4bea-9344-2b8cb904c56c host_id: 10c1e16bf10cc0356f6413b8d85f4adcc374d6467225cbe839d96881 interface_ip: 162.253.55.209 label: ansible-fedora-37-1vcpu private_ipv4: 192.168.0.13 private_ipv6: null provider: ansible-vexxhost-ca-ymq-1 public_ipv4: 162.253.55.209 public_ipv6: 2604:e100:1:0:f816:3eff:fed0:d63d region: ca-ymq-1 slot: null zuul_use_fetch_output: true vars: zuul: _inheritance_path: - '' - '' - '' ansible_version: '8' artifacts: - branch: main change: '2877' job: build-ansible-collection metadata: type: zuul_manifest name: Zuul Manifest patchset: 717a42f33223cb0e7e4346f5bd9a64532bf5539e project: ansible-collections/amazon.aws url: https://1c27597551ac3a56e82c-b6669bbe7bef7e6dfd567fd66e96675a.ssl.cf2.rackcdn.com/ansible/c0a745cbfd11453089fae53a2df48a9d/zuul-manifest.json - branch: main change: '2877' job: build-ansible-collection metadata: type: ansible_collection version: 12.5.0 name: community.general patchset: 717a42f33223cb0e7e4346f5bd9a64532bf5539e project: ansible-collections/amazon.aws url: https://1c27597551ac3a56e82c-b6669bbe7bef7e6dfd567fd66e96675a.ssl.cf2.rackcdn.com/ansible/c0a745cbfd11453089fae53a2df48a9d/artifacts/community-general-12.5.0.tar.gz - branch: main change: '2877' job: build-ansible-collection metadata: type: ansible_collection version: 3.2.0 name: community.crypto patchset: 717a42f33223cb0e7e4346f5bd9a64532bf5539e project: ansible-collections/amazon.aws url: https://1c27597551ac3a56e82c-b6669bbe7bef7e6dfd567fd66e96675a.ssl.cf2.rackcdn.com/ansible/c0a745cbfd11453089fae53a2df48a9d/artifacts/community-crypto-3.2.0.tar.gz - branch: main change: '2877' job: build-ansible-collection metadata: type: ansible_collection version: 12.0.0 name: community.aws patchset: 717a42f33223cb0e7e4346f5bd9a64532bf5539e project: ansible-collections/amazon.aws url: https://1c27597551ac3a56e82c-b6669bbe7bef7e6dfd567fd66e96675a.ssl.cf2.rackcdn.com/ansible/c0a745cbfd11453089fae53a2df48a9d/artifacts/community-aws-12.0.0.tar.gz - branch: main change: '2877' job: build-ansible-collection metadata: type: ansible_collection version: 3.4.0 name: ansible.windows patchset: 717a42f33223cb0e7e4346f5bd9a64532bf5539e project: ansible-collections/amazon.aws url: https://1c27597551ac3a56e82c-b6669bbe7bef7e6dfd567fd66e96675a.ssl.cf2.rackcdn.com/ansible/c0a745cbfd11453089fae53a2df48a9d/artifacts/ansible-windows-3.4.0.tar.gz - branch: main change: '2877' job: build-ansible-collection metadata: type: ansible_collection version: 6.0.2-dev3 name: ansible.utils patchset: 717a42f33223cb0e7e4346f5bd9a64532bf5539e project: ansible-collections/amazon.aws url: https://1c27597551ac3a56e82c-b6669bbe7bef7e6dfd567fd66e96675a.ssl.cf2.rackcdn.com/ansible/c0a745cbfd11453089fae53a2df48a9d/artifacts/ansible-utils-6.0.2-dev3.tar.gz - branch: main change: '2877' job: build-ansible-collection metadata: type: ansible_collection version: 8.4.1-dev5 name: ansible.netcommon patchset: 717a42f33223cb0e7e4346f5bd9a64532bf5539e project: ansible-collections/amazon.aws url: https://1c27597551ac3a56e82c-b6669bbe7bef7e6dfd567fd66e96675a.ssl.cf2.rackcdn.com/ansible/c0a745cbfd11453089fae53a2df48a9d/artifacts/ansible-netcommon-8.4.1-dev5.tar.gz - branch: main change: '2877' job: build-ansible-collection metadata: type: ansible_collection version: 12.0.0 name: amazon.aws patchset: 717a42f33223cb0e7e4346f5bd9a64532bf5539e project: ansible-collections/amazon.aws url: https://1c27597551ac3a56e82c-b6669bbe7bef7e6dfd567fd66e96675a.ssl.cf2.rackcdn.com/ansible/c0a745cbfd11453089fae53a2df48a9d/artifacts/amazon-aws-12.0.0.tar.gz attempts: 1 branch: main build: 03ac0aa9e830492ead7775c437ba5e76 build_refs: - branch: main change: '2877' change_message: "Fix `label-new-prs.yml` workflow security issue\n\n##### SUMMARY\r\n\r\nFixing a security issue reported in [SonarQube](https://sonarcloud.io/project/overview?id=ansible-collections_amazon.aws):\r\n\r\n> Using `github.actor` or equivalent properties to check if the actor is a trusted principal on events like `pull_request_target` could be a security issue, because they do not always refer to the actual creator of the `commit` or the `pull request`.\r\n> \r\n> The value represents the entity who triggered the workflow event, which may differ from the actual author of the commit or pull request. If a threat actor could force a trusted actor (such as a bot) into making a change that triggers the workflow, they can bypass the check.\r\n> \r\n> #### What is the potential impact?\r\n> Unauthorized access\r\n> An attacker could trick the action to run sensitive jobs/commands with special permissions or secrets. For instance, an auto-merge workflow.\r\n> \r\n> #### Supply Chain Compromise\r\n> If the sensitive code performs a merge or releases an artifact, an attacker can inject malicious code or publish malicious packages, potentially compromising the entire supply chain.\r\n> \r\n> ### Resources\r\n>\r\n> #### Documentation\r\n>\r\n> GitHub Docs - [GitHub Context reference](https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context)\r\n> GitHub Security Lab - [Keeping your GitHub Actions and workflows secure Part 4: New vulnerability patterns and mitigation strategies](https://securitylab.github.com/resources/github-actions-new-patterns-and-mitigations/)\r\n> \r\n> " change_url: https://github.com/ansible-collections/amazon.aws/pull/2877 commit_id: 717a42f33223cb0e7e4346f5bd9a64532bf5539e patchset: 717a42f33223cb0e7e4346f5bd9a64532bf5539e project: canonical_hostname: github.com canonical_name: github.com/ansible-collections/amazon.aws name: ansible-collections/amazon.aws short_name: amazon.aws src_dir: src/github.com/ansible-collections/amazon.aws topic: null buildset: 44d64fea002a4871a6f6db08fe5f88d9 buildset_refs: - branch: main change: '2877' change_message: "Fix `label-new-prs.yml` workflow security issue\n\n##### SUMMARY\r\n\r\nFixing a security issue reported in [SonarQube](https://sonarcloud.io/project/overview?id=ansible-collections_amazon.aws):\r\n\r\n> Using `github.actor` or equivalent properties to check if the actor is a trusted principal on events like `pull_request_target` could be a security issue, because they do not always refer to the actual creator of the `commit` or the `pull request`.\r\n> \r\n> The value represents the entity who triggered the workflow event, which may differ from the actual author of the commit or pull request. If a threat actor could force a trusted actor (such as a bot) into making a change that triggers the workflow, they can bypass the check.\r\n> \r\n> #### What is the potential impact?\r\n> Unauthorized access\r\n> An attacker could trick the action to run sensitive jobs/commands with special permissions or secrets. For instance, an auto-merge workflow.\r\n> \r\n> #### Supply Chain Compromise\r\n> If the sensitive code performs a merge or releases an artifact, an attacker can inject malicious code or publish malicious packages, potentially compromising the entire supply chain.\r\n> \r\n> ### Resources\r\n>\r\n> #### Documentation\r\n>\r\n> GitHub Docs - [GitHub Context reference](https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context)\r\n> GitHub Security Lab - [Keeping your GitHub Actions and workflows secure Part 4: New vulnerability patterns and mitigation strategies](https://securitylab.github.com/resources/github-actions-new-patterns-and-mitigations/)\r\n> \r\n> " change_url: https://github.com/ansible-collections/amazon.aws/pull/2877 commit_id: 717a42f33223cb0e7e4346f5bd9a64532bf5539e patchset: 717a42f33223cb0e7e4346f5bd9a64532bf5539e project: canonical_hostname: github.com canonical_name: github.com/ansible-collections/amazon.aws name: ansible-collections/amazon.aws short_name: amazon.aws src_dir: src/github.com/ansible-collections/amazon.aws topic: null change: '2877' change_message: "Fix `label-new-prs.yml` workflow security issue\n\n##### SUMMARY\r\n\r\nFixing a security issue reported in [SonarQube](https://sonarcloud.io/project/overview?id=ansible-collections_amazon.aws):\r\n\r\n> Using `github.actor` or equivalent properties to check if the actor is a trusted principal on events like `pull_request_target` could be a security issue, because they do not always refer to the actual creator of the `commit` or the `pull request`.\r\n> \r\n> The value represents the entity who triggered the workflow event, which may differ from the actual author of the commit or pull request. If a threat actor could force a trusted actor (such as a bot) into making a change that triggers the workflow, they can bypass the check.\r\n> \r\n> #### What is the potential impact?\r\n> Unauthorized access\r\n> An attacker could trick the action to run sensitive jobs/commands with special permissions or secrets. For instance, an auto-merge workflow.\r\n> \r\n> #### Supply Chain Compromise\r\n> If the sensitive code performs a merge or releases an artifact, an attacker can inject malicious code or publish malicious packages, potentially compromising the entire supply chain.\r\n> \r\n> ### Resources\r\n>\r\n> #### Documentation\r\n>\r\n> GitHub Docs - [GitHub Context reference](https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context)\r\n> GitHub Security Lab - [Keeping your GitHub Actions and workflows secure Part 4: New vulnerability patterns and mitigation strategies](https://securitylab.github.com/resources/github-actions-new-patterns-and-mitigations/)\r\n> \r\n> " change_url: https://github.com/ansible-collections/amazon.aws/pull/2877 child_jobs: [] commit_id: 717a42f33223cb0e7e4346f5bd9a64532bf5539e event_id: 1d2595c0-18ac-11f1-9234-f901ee883c3f executor: hostname: ze03.softwarefactory-project.io inventory_file: /var/lib/zuul/builds/03ac0aa9e830492ead7775c437ba5e76/ansible/inventory.yaml log_root: /var/lib/zuul/builds/03ac0aa9e830492ead7775c437ba5e76/work/logs result_data_file: /var/lib/zuul/builds/03ac0aa9e830492ead7775c437ba5e76/work/results.json src_root: /var/lib/zuul/builds/03ac0aa9e830492ead7775c437ba5e76/work/src work_root: /var/lib/zuul/builds/03ac0aa9e830492ead7775c437ba5e76/work items: - branch: main change: '2877' change_message: "Fix `label-new-prs.yml` workflow security issue\n\n##### SUMMARY\r\n\r\nFixing a security issue reported in [SonarQube](https://sonarcloud.io/project/overview?id=ansible-collections_amazon.aws):\r\n\r\n> Using `github.actor` or equivalent properties to check if the actor is a trusted principal on events like `pull_request_target` could be a security issue, because they do not always refer to the actual creator of the `commit` or the `pull request`.\r\n> \r\n> The value represents the entity who triggered the workflow event, which may differ from the actual author of the commit or pull request. If a threat actor could force a trusted actor (such as a bot) into making a change that triggers the workflow, they can bypass the check.\r\n> \r\n> #### What is the potential impact?\r\n> Unauthorized access\r\n> An attacker could trick the action to run sensitive jobs/commands with special permissions or secrets. For instance, an auto-merge workflow.\r\n> \r\n> #### Supply Chain Compromise\r\n> If the sensitive code performs a merge or releases an artifact, an attacker can inject malicious code or publish malicious packages, potentially compromising the entire supply chain.\r\n> \r\n> ### Resources\r\n>\r\n> #### Documentation\r\n>\r\n> GitHub Docs - [GitHub Context reference](https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context)\r\n> GitHub Security Lab - [Keeping your GitHub Actions and workflows secure Part 4: New vulnerability patterns and mitigation strategies](https://securitylab.github.com/resources/github-actions-new-patterns-and-mitigations/)\r\n> \r\n> " change_url: https://github.com/ansible-collections/amazon.aws/pull/2877 commit_id: 717a42f33223cb0e7e4346f5bd9a64532bf5539e patchset: 717a42f33223cb0e7e4346f5bd9a64532bf5539e project: canonical_hostname: github.com canonical_name: github.com/ansible-collections/amazon.aws name: ansible-collections/amazon.aws short_name: amazon.aws src_dir: src/github.com/ansible-collections/amazon.aws topic: null job: ansible-galaxy-importer jobtags: [] max_attempts: 3 message: Rml4IGBsYWJlbC1uZXctcHJzLnltbGAgd29ya2Zsb3cgc2VjdXJpdHkgaXNzdWUKCiMjIyMjIFNVTU1BUlkNCg0KRml4aW5nIGEgc2VjdXJpdHkgaXNzdWUgcmVwb3J0ZWQgaW4gW1NvbmFyUXViZV0oaHR0cHM6Ly9zb25hcmNsb3VkLmlvL3Byb2plY3Qvb3ZlcnZpZXc/aWQ9YW5zaWJsZS1jb2xsZWN0aW9uc19hbWF6b24uYXdzKToNCg0KPiBVc2luZyBgZ2l0aHViLmFjdG9yYCBvciBlcXVpdmFsZW50IHByb3BlcnRpZXMgdG8gY2hlY2sgaWYgdGhlIGFjdG9yIGlzIGEgdHJ1c3RlZCBwcmluY2lwYWwgb24gZXZlbnRzIGxpa2UgYHB1bGxfcmVxdWVzdF90YXJnZXRgIGNvdWxkIGJlIGEgc2VjdXJpdHkgaXNzdWUsIGJlY2F1c2UgdGhleSBkbyBub3QgYWx3YXlzIHJlZmVyIHRvIHRoZSBhY3R1YWwgY3JlYXRvciBvZiB0aGUgYGNvbW1pdGAgb3IgdGhlIGBwdWxsIHJlcXVlc3RgLg0KPiANCj4gVGhlIHZhbHVlIHJlcHJlc2VudHMgdGhlIGVudGl0eSB3aG8gdHJpZ2dlcmVkIHRoZSB3b3JrZmxvdyBldmVudCwgd2hpY2ggbWF5IGRpZmZlciBmcm9tIHRoZSBhY3R1YWwgYXV0aG9yIG9mIHRoZSBjb21taXQgb3IgcHVsbCByZXF1ZXN0LiBJZiBhIHRocmVhdCBhY3RvciBjb3VsZCBmb3JjZSBhIHRydXN0ZWQgYWN0b3IgKHN1Y2ggYXMgYSBib3QpIGludG8gbWFraW5nIGEgY2hhbmdlIHRoYXQgdHJpZ2dlcnMgdGhlIHdvcmtmbG93LCB0aGV5IGNhbiBieXBhc3MgdGhlIGNoZWNrLg0KPiANCj4gIyMjIyBXaGF0IGlzIHRoZSBwb3RlbnRpYWwgaW1wYWN0Pw0KPiBVbmF1dGhvcml6ZWQgYWNjZXNzDQo+IEFuIGF0dGFja2VyIGNvdWxkIHRyaWNrIHRoZSBhY3Rpb24gdG8gcnVuIHNlbnNpdGl2ZSBqb2JzL2NvbW1hbmRzIHdpdGggc3BlY2lhbCBwZXJtaXNzaW9ucyBvciBzZWNyZXRzLiBGb3IgaW5zdGFuY2UsIGFuIGF1dG8tbWVyZ2Ugd29ya2Zsb3cuDQo+IA0KPiAgIyMjIyBTdXBwbHkgQ2hhaW4gQ29tcHJvbWlzZQ0KPiBJZiB0aGUgc2Vuc2l0aXZlIGNvZGUgcGVyZm9ybXMgYSBtZXJnZSBvciByZWxlYXNlcyBhbiBhcnRpZmFjdCwgYW4gYXR0YWNrZXIgY2FuIGluamVjdCBtYWxpY2lvdXMgY29kZSBvciBwdWJsaXNoIG1hbGljaW91cyBwYWNrYWdlcywgcG90ZW50aWFsbHkgY29tcHJvbWlzaW5nIHRoZSBlbnRpcmUgc3VwcGx5IGNoYWluLg0KPiANCj4gIyMjIFJlc291cmNlcw0KPg0KPiAjIyMjIERvY3VtZW50YXRpb24NCj4NCj4gR2l0SHViIERvY3MgLSBbR2l0SHViIENvbnRleHQgcmVmZXJlbmNlXShodHRwczovL2RvY3MuZ2l0aHViLmNvbS9lbi9hY3Rpb25zL3JlZmVyZW5jZS93b3JrZmxvd3MtYW5kLWFjdGlvbnMvY29udGV4dHMjZ2l0aHViLWNvbnRleHQpDQo+IEdpdEh1YiBTZWN1cml0eSBMYWIgLSBbS2VlcGluZyB5b3VyIEdpdEh1YiBBY3Rpb25zIGFuZCB3b3JrZmxvd3Mgc2VjdXJlIFBhcnQgNDogTmV3IHZ1bG5lcmFiaWxpdHkgcGF0dGVybnMgYW5kIG1pdGlnYXRpb24gc3RyYXRlZ2llc10oaHR0cHM6Ly9zZWN1cml0eWxhYi5naXRodWIuY29tL3Jlc291cmNlcy9naXRodWItYWN0aW9ucy1uZXctcGF0dGVybnMtYW5kLW1pdGlnYXRpb25zLykNCj4gDQo+IA== patchset: 717a42f33223cb0e7e4346f5bd9a64532bf5539e pipeline: gate playbook_context: playbook_projects: trusted/project_0/github.com/ansible/zuul-config: canonical_name: github.com/ansible/zuul-config checkout: master commit: daaa6e3e88f621d4535036fa4292542ebc805ae2 trusted/project_1/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: 571c0efa3491d12ecb8fc1169c510716d55c0fc2 untrusted/project_0/github.com/ansible/ansible-zuul-jobs: canonical_name: github.com/ansible/ansible-zuul-jobs checkout: master commit: 192320b9d41936ac6065fcaf6e286bf4dca783a5 untrusted/project_1/github.com/ansible/zuul-config: canonical_name: github.com/ansible/zuul-config checkout: master commit: daaa6e3e88f621d4535036fa4292542ebc805ae2 untrusted/project_2/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: 571c0efa3491d12ecb8fc1169c510716d55c0fc2 playbooks: - path: untrusted/project_0/github.com/ansible/ansible-zuul-jobs/playbooks/ansible-galaxy-importer/run.yaml roles: - checkout: master checkout_description: playbook branch link_name: ansible/playbook_0/role_0/zuul-jobs link_target: untrusted/project_0/github.com/ansible/ansible-zuul-jobs role_path: ansible/playbook_0/role_0/zuul-jobs/roles - checkout: master checkout_description: project default branch link_name: ansible/playbook_0/role_1/zuul-config link_target: untrusted/project_1/github.com/ansible/zuul-config role_path: ansible/playbook_0/role_1/zuul-config/roles - checkout: master checkout_description: project default branch link_name: ansible/playbook_0/role_2/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/playbook_0/role_2/zuul-jobs/roles post_review: false project: canonical_hostname: github.com canonical_name: github.com/ansible-collections/amazon.aws name: ansible-collections/amazon.aws short_name: amazon.aws src_dir: src/github.com/ansible-collections/amazon.aws projects: github.com/ansible-collections/amazon.aws: canonical_hostname: github.com canonical_name: github.com/ansible-collections/amazon.aws checkout: main checkout_description: zuul branch commit: c0107ea983fc11fef2592b1cce6fbf072eff6b22 name: ansible-collections/amazon.aws required: false short_name: amazon.aws src_dir: src/github.com/ansible-collections/amazon.aws github.com/ansible-network/releases: canonical_hostname: github.com canonical_name: github.com/ansible-network/releases checkout: master checkout_description: project default branch commit: 646b310655c531e4904be07f4ff8fc3a29addd09 name: ansible-network/releases required: true short_name: releases src_dir: src/github.com/ansible-network/releases ref: refs/pull/2877/head resources: {} tenant: ansible timeout: 1800 topic: null voting: true zuul_use_fetch_output: true