summaryrefslogtreecommitdiffstats
path: root/src/ansiblelint/rules/latest.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/ansiblelint/rules/latest.py')
-rw-r--r--src/ansiblelint/rules/latest.py46
1 files changed, 46 insertions, 0 deletions
diff --git a/src/ansiblelint/rules/latest.py b/src/ansiblelint/rules/latest.py
new file mode 100644
index 0000000..0838feb
--- /dev/null
+++ b/src/ansiblelint/rules/latest.py
@@ -0,0 +1,46 @@
+"""Implementation of latest rule."""
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+from ansiblelint.rules import AnsibleLintRule
+
+if TYPE_CHECKING:
+ from ansiblelint.errors import MatchError
+ from ansiblelint.file_utils import Lintable
+ from ansiblelint.utils import Task
+
+
+class LatestRule(AnsibleLintRule):
+ """Result of the command may vary on subsequent runs."""
+
+ id = "latest"
+ description = (
+ "All version control checkouts must point to "
+ "an explicit commit or tag, not just ``latest``"
+ )
+ severity = "MEDIUM"
+ tags = ["idempotency"]
+ version_added = "v6.5.2"
+ _ids = {
+ "latest[git]": "Use a commit hash or tag instead of 'latest' for git",
+ "latest[hg]": "Use a commit hash or tag instead of 'latest' for hg",
+ }
+
+ def matchtask(
+ self,
+ task: Task,
+ file: Lintable | None = None,
+ ) -> bool | str | MatchError:
+ """Check if module args are safe."""
+ if (
+ task["action"]["__ansible_module__"] == "git"
+ and task["action"].get("version", "HEAD") == "HEAD"
+ ):
+ return self.create_matcherror(tag="latest[git]", filename=file)
+ if (
+ task["action"]["__ansible_module__"] == "hg"
+ and task["action"].get("revision", "default") == "default"
+ ):
+ return self.create_matcherror(tag="latest[hg]", filename=file)
+ return False