snippetMinor
How to verify hashes of Ansible Galaxy dependencies?
Viewed 0 times
howgalaxyverifyhashesansibledependencies
Problem
From a security perspective, I don't like the idea of relying only on Git tags, as they could be moved later. Unfortunately, I'm not aware of an official solution to enforce checks.
This is the best that I could come up with:
And in the playbook, use it as:
It works, but feels a bit overly complicated. Is there an easier way?
This is the best that I could come up with:
# requirements.yaml:
- src: git+https://github.com/geerlingguy/ansible-role-nodejs.git
version: 405a113ccbde0c99614f6f815fb4285cb742ad25 # == release 5.0.0
name: geerlingguy.nodejs.trusted_hashAnd in the playbook, use it as:
- roles:
- role: geerlingguy.nodejs.trusted_hash
nodejs_version: "12.x"It works, but feels a bit overly complicated. Is there an easier way?
Solution
The feature is currently (Nov 2019) not directly supported in Ansible Galaxy.
There have been related discussions in the past (#14604 and #1358), but the latest state can be followed in the new issue #2108.
In the meantime, the workaround described in the question can be used, at the cost of some verbosity.
There have been related discussions in the past (#14604 and #1358), but the latest state can be followed in the new issue #2108.
In the meantime, the workaround described in the question can be used, at the cost of some verbosity.
Context
StackExchange DevOps Q#9836, answer score: 1
Revisions (0)
No revisions yet.