From 420843f6c30abf565608fefea4d2fee59084c230 Mon Sep 17 00:00:00 2001 From: pccibot <12855858+pccibot@users.noreply.github.com> Date: Sat, 27 Sep 2025 13:12:51 +0000 Subject: [PATCH 1/6] modulesync 10.3.0 --- .msync.yml | 2 +- Gemfile | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.msync.yml b/.msync.yml index 68fb43b..814fbd0 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '10.2.0' +modulesync_config_version: '10.3.0' diff --git a/Gemfile b/Gemfile index 2aaf7d5..5625986 100644 --- a/Gemfile +++ b/Gemfile @@ -4,7 +4,7 @@ source ENV['GEM_SOURCE'] || 'https://rubygems.org' group :test do - gem 'voxpupuli-test', '~> 12.0', :require => false + gem 'voxpupuli-test', '~> 13.0', :require => false gem 'puppet_metadata', '~> 5.0', :require => false end @@ -18,7 +18,7 @@ group :system_tests do end group :release do - gem 'voxpupuli-release', '~> 4.0', :require => false + gem 'voxpupuli-release', '~> 5.0', :require => false end gem 'rake', :require => false From 638a8992e5c8518afba0a4118d2cf2ef3109bcb5 Mon Sep 17 00:00:00 2001 From: pccibot <12855858+pccibot@users.noreply.github.com> Date: Fri, 17 Oct 2025 14:56:19 +0000 Subject: [PATCH 2/6] modulesync 10.4.0 --- .github/workflows/ci.yml | 2 +- .msync.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6f5ac00..9680f3d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,4 +22,4 @@ permissions: jobs: puppet: name: Puppet - uses: voxpupuli/gha-puppet/.github/workflows/basic.yml@v3 + uses: voxpupuli/gha-puppet/.github/workflows/basic.yml@v4 diff --git a/.msync.yml b/.msync.yml index 814fbd0..81ea369 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '10.3.0' +modulesync_config_version: '10.4.0' From ae09236fa859044a3b69f96155070fc3c9072b41 Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Wed, 22 Oct 2025 12:41:00 -0700 Subject: [PATCH 3/6] init: trim trailing whitespace --- manifests/init.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index d08bb78..341a7a5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,19 +1,19 @@ # @summary # Framework for patch management as code. Works alongside the puppetlabs/pe_patch or albatrossflavour/os_patching modules -# +# # @example Using the module with defaults, or controlling options through Hiera # include patching_as_code -# +# # @example Forcing the classification of pe_patch on PE 2019.8.0+ # class {'patching_as_code': # classify_pe_patch => true # } -# +# # @example Forcing the use of albatrossflavour/os_patching on PE 2019.8.0+ # class {'patching_as_code': # use_pe_patch => false # } -# +# # @param Variant[String,Array[String]] patch_group # Name(s) of the patch_group(s) for this node. Must match one or more of the patch groups in $patch_schedule # To assign multiple patch groups, provide this parameter as an array @@ -107,7 +107,7 @@ # When disabled (default), patches are not installed over a metered link. # @param [Optional[String]] plan_patch_fact # Reserved parameter for running `patching_as_code` via a Plan (future functionality). -# +# class patching_as_code ( Variant[String,Array[String]] $patch_group, #lint:ignore:parameter_documentation Hash $patch_schedule, From b77056259f71b282eb0b795f54ef45d7360f0b54 Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Wed, 22 Oct 2025 12:42:01 -0700 Subject: [PATCH 4/6] init: fix indentation --- manifests/init.pp | 71 ++++++++++++++++++++++++++--------------------- 1 file changed, 39 insertions(+), 32 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 341a7a5..a53724f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -231,32 +231,35 @@ file { 'patching_configuration.json': ensure => file, path => "${facts['puppet_vardir']}/../../facter/facts.d/patching_configuration.json", - content => to_json_pretty( { # lint:ignore:manifest_whitespace_opening_brace_before - patching_as_code_config => { - allowlist => $allowlist, - blocklist => $blocklist, - high_priority_list => $high_priority_list, - allowlist_choco => $allowlist_choco, - blocklist_choco => $blocklist_choco, - high_priority_list_choco => $high_priority_list_choco, - enable_patching => $enable_patching, - patch_fact => $patch_fact, - patch_group => $patch_groups, - patch_schedule => if $active_pg in ['always', 'never'] { - { $active_pg => 'N/A' } - } else { - $patch_schedule.filter |$item| { $item[0] in $patch_groups } + content => to_json_pretty( + { + patching_as_code_config => { + allowlist => $allowlist, + blocklist => $blocklist, + high_priority_list => $high_priority_list, + allowlist_choco => $allowlist_choco, + blocklist_choco => $blocklist_choco, + high_priority_list_choco => $high_priority_list_choco, + enable_patching => $enable_patching, + patch_fact => $patch_fact, + patch_group => $patch_groups, + patch_schedule => if $active_pg in ['always', 'never'] { + { $active_pg => 'N/A' } + } else { + $patch_schedule.filter |$item| { $item[0] in $patch_groups } + }, + high_priority_patch_group => $high_priority_patch_group, + post_patch_commands => $post_patch_commands, + pre_patch_commands => $pre_patch_commands, + pre_reboot_commands => $pre_reboot_commands, + patch_on_metered_links => $patch_on_metered_links, + security_only => $security_only, + patch_choco => $patch_choco, + unsafe_process_list => $unsafe_process_list, }, - high_priority_patch_group => $high_priority_patch_group, - post_patch_commands => $post_patch_commands, - pre_patch_commands => $pre_patch_commands, - pre_reboot_commands => $pre_reboot_commands, - patch_on_metered_links => $patch_on_metered_links, - security_only => $security_only, - patch_choco => $patch_choco, - unsafe_process_list => $unsafe_process_list, }, - }, false), + false, + ), show_diff => false, } @@ -475,10 +478,12 @@ ensure => file, path => "${facts['puppet_vardir']}/../../patching_as_code/last_run", show_diff => false, - content => Deferred('patching_as_code::last_run', [ - $updates_to_install.unique, - $choco_updates_to_install.unique, - ]), + content => Deferred('patching_as_code::last_run', + [ + $updates_to_install.unique, + $choco_updates_to_install.unique, + ], + ), schedule => 'Patching as Code - Patch Window', require => File["${facts['puppet_vardir']}/../../patching_as_code"], before => Anchor['patching_as_code::post'], @@ -494,10 +499,12 @@ ensure => file, path => "${facts['puppet_vardir']}/../../patching_as_code/high_prio_last_run", show_diff => false, - content => Deferred('patching_as_code::high_prio_last_run', [ - $high_prio_updates_to_install.unique, - $high_prio_choco_updates_to_install.unique, - ]), + content => Deferred('patching_as_code::high_prio_last_run', + [ + $high_prio_updates_to_install.unique, + $high_prio_choco_updates_to_install.unique, + ], + ), schedule => 'Patching as Code - High Priority Patch Window', require => File["${facts['puppet_vardir']}/../../patching_as_code"], before => Anchor['patching_as_code::post'], From 408ffddaf59f417ae6d974c199aec20588d2a515 Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Wed, 22 Oct 2025 12:45:51 -0700 Subject: [PATCH 5/6] lint: ignore exec_idempotency These execs use schedules. --- manifests/init.pp | 12 ++++++------ manifests/kb.pp | 2 +- manifests/linux/patchday.pp | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index a53724f..824f7d0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -437,7 +437,7 @@ # Run pre-patch commands if provided if ($updates_to_install.count + $choco_updates_to_install.count > 0) { $pre_patch_commands.each | $cmd, $cmd_opts | { - exec { "Patching as Code - Before patching - ${cmd}": + exec { "Patching as Code - Before patching - ${cmd}": # lint:ignore:exec_idempotency * => delete($cmd_opts, ['before', 'schedule', 'tag']), before => Class["patching_as_code::${0}::patchday"], schedule => 'Patching as Code - Patch Window', @@ -447,7 +447,7 @@ } if ($high_prio_updates_to_install.count + $high_prio_choco_updates_to_install.count > 0) { $pre_patch_commands.each | $cmd, $cmd_opts | { - exec { "Patching as Code - Before patching (High Priority) - ${cmd}": + exec { "Patching as Code - Before patching (High Priority) - ${cmd}": # lint:ignore:exec_idempotency * => delete($cmd_opts, ['before', 'schedule', 'tag']), before => Class["patching_as_code::${0}::patchday"], schedule => 'Patching as Code - High Priority Patch Window', @@ -535,7 +535,7 @@ # Perform post-patching Execs if ($updates_to_install.count + $choco_updates_to_install.count > 0) and $reboot { $post_patch_commands.each | $cmd, $cmd_opts | { - exec { "Patching as Code - After patching - ${cmd}": + exec { "Patching as Code - After patching - ${cmd}": # lint:ignore:exec_idempotency * => delete($cmd_opts, ['require', 'before', 'schedule', 'tag']), require => Anchor['patching_as_code::post'], schedule => 'Patching as Code - Patch Window', @@ -545,7 +545,7 @@ } if ($high_prio_updates_to_install.count + $high_prio_choco_updates_to_install.count > 0) and $high_prio_reboot { $post_patch_commands.each | $cmd, $cmd_opts | { - exec { "Patching as Code - After patching (High Priority) - ${cmd}": + exec { "Patching as Code - After patching (High Priority) - ${cmd}": # lint:ignore:exec_idempotency * => delete($cmd_opts, ['require', 'before', 'schedule', 'tag']), require => Anchor['patching_as_code::post'], schedule => 'Patching as Code - High Priority Patch Window', @@ -617,7 +617,7 @@ # Do not reboot after patching, just run post_patch commands if given if ($updates_to_install.count + $choco_updates_to_install.count > 0) { $post_patch_commands.each | $cmd, $cmd_opts | { - exec { "Patching as Code - After patching - ${cmd}": + exec { "Patching as Code - After patching - ${cmd}": # lint:ignore:exec_idempotency * => delete($cmd_opts, ['require', 'schedule', 'tag']), require => Anchor['patching_as_code::post'], schedule => 'Patching as Code - Patch Window', @@ -627,7 +627,7 @@ } if ($high_prio_updates_to_install.count + $high_prio_choco_updates_to_install.count > 0) { $post_patch_commands.each | $cmd, $cmd_opts | { - exec { "Patching as Code - After patching (High Priority)- ${cmd}": + exec { "Patching as Code - After patching (High Priority)- ${cmd}": # lint:ignore:exec_idempotency * => delete($cmd_opts, ['require', 'schedule', 'tag']), require => Anchor['patching_as_code::post'], schedule => 'Patching as Code - High Priority Patch Window', diff --git a/manifests/kb.pp b/manifests/kb.pp index e231766..7917d05 100644 --- a/manifests/kb.pp +++ b/manifests/kb.pp @@ -20,7 +20,7 @@ case $kb { 'KB890830', 'KB2267602', 'KB2461484', 'KB4052623': { #Don't skip recurring monthly updates (Malicious Software Removal Tool, Windows Defender/SCEP updates) - exec { "Install ${kb}": + exec { "Install ${kb}": # lint:ignore:exec_idempotency command => template('patching_as_code/install_kb.ps1.erb'), provider => 'powershell', timeout => 14400, diff --git a/manifests/linux/patchday.pp b/manifests/linux/patchday.pp index 0dbb5d9..6a997aa 100644 --- a/manifests/linux/patchday.pp +++ b/manifests/linux/patchday.pp @@ -40,7 +40,7 @@ } if $updates.count > 0 { - exec { 'Patching as Code - Clean Cache': + exec { 'Patching as Code - Clean Cache': # lint:ignore:exec_idempotency command => $cmd, path => $cmd_path, schedule => 'Patching as Code - Patch Window', @@ -56,7 +56,7 @@ } if $high_prio_updates.count > 0 { - exec { 'Patching as Code - Clean Cache (High Priority)': + exec { 'Patching as Code - Clean Cache (High Priority)': # lint:ignore:exec_idempotency command => $cmd, path => $cmd_path, schedule => 'Patching as Code - High Priority Patch Window', From ddbe29d51e4c1388a4297079e2a5ca67d8b47ae5 Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Wed, 22 Oct 2025 12:46:23 -0700 Subject: [PATCH 6/6] trim trailing whitespace --- manifests/kb.pp | 2 +- manifests/linux/patchday.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/kb.pp b/manifests/kb.pp index 7917d05..7b6119d 100644 --- a/manifests/kb.pp +++ b/manifests/kb.pp @@ -1,5 +1,5 @@ # define patching_as_code::kb -# +# # @summary # This define gets called by init.pp to install Windows KB patches. # @param [String] ensure diff --git a/manifests/linux/patchday.pp b/manifests/linux/patchday.pp index 6a997aa..31bea99 100644 --- a/manifests/linux/patchday.pp +++ b/manifests/linux/patchday.pp @@ -1,5 +1,5 @@ # Class: patching_as_code::linux::patchday -# +# # @summary # This class gets called by init.pp to perform the actual patching on Linux. # @param [Array] updates