From 8180e369eaa5cd6cd79939c08e5e11ee7ad50538 Mon Sep 17 00:00:00 2001
From: Sorin Sbarnea <ssbarnea@redhat.com>
Date: Fri, 17 Jan 2025 12:18:35 +0000
Subject: [PATCH] Correct minimal requirements

- Ensure that our lower requirements can be used
- Make uv use constraints like pip (failed to for some time)
- Fix broken test logic related to vault password
---
 .config/requirements.in                | 10 +++++-----
 .github/lower-constraints.txt          | 12 ++++++------
 .vault_pass                            |  1 +
 ansible.cfg                            |  2 ++
 src/ansiblelint/schemas/__store__.json |  2 +-
 test/test_schemas.py                   |  8 ++++----
 tox.ini                                | 20 +++++---------------
 7 files changed, 24 insertions(+), 31 deletions(-)
 create mode 100644 .vault_pass

diff --git a/.config/requirements.in b/.config/requirements.in
index 51080603e2..e388e96531 100644
--- a/.config/requirements.in
+++ b/.config/requirements.in
@@ -1,17 +1,17 @@
 # Special order section for helping pip:
 will-not-work-on-windows-try-from-wsl-instead; platform_system=='Windows'
-ansible-core>=2.13.0 # GPLv3
+ansible-core>=2.14.0 # GPLv3
 ansible-compat>=24.10.0 # GPLv3
 # alphabetically sorted:
 black>=24.3.0 # MIT (security)
-filelock>=3.3.0 # The Unlicense
+filelock>=3.8.2 # The Unlicense
 importlib-metadata # Apache
 jsonschema>=4.10.0 # MIT, version needed for improved errors
-packaging>=21.3 # Apache-2.0,BSD-2-Clause
+packaging>=22.0 # Apache-2.0,BSD-2-Clause
 pathspec>=0.10.3 # Mozilla Public License 2.0 (MPL 2.0)
-pyyaml>=5.4.1 # MIT (centos 9 has 5.3.1)
+pyyaml>=6.0.2 # MIT (compilation probles with older versions)
 ruamel.yaml>=0.18.5,!=0.18.7,!=0.18.8 # MIT
 subprocess-tee>=0.4.1 # MIT, used by ansible-compat
-yamllint >= 1.30.0 # GPLv3
+yamllint >= 1.34.0 # GPLv3
 wcmatch>=8.1.2; python_version < '3.12' # MIT
 wcmatch>=8.5.0; python_version >= '3.12' # MIT
diff --git a/.github/lower-constraints.txt b/.github/lower-constraints.txt
index d313869d14..380293c68e 100644
--- a/.github/lower-constraints.txt
+++ b/.github/lower-constraints.txt
@@ -1,18 +1,18 @@
 # This file is kept in a different directory than .config in order to not be
 # automatically updated by dependabot. This should be kept in sync with
 # minimal requirements configured inside .config/requirements.in
-ansible-core==2.13.0
-ansible-compat==24.5.1 # GPLv3
+ansible-core==2.14.0
+ansible-compat==24.10.0 # GPLv3
 black==24.3.0 # MIT (security)
-filelock==3.3.0 # The Unlicense
+filelock==3.8.2 # The Unlicense
 jsonschema==4.10.0 # MIT, version needed for improved errors
-packaging==21.3
+packaging==22.0
 pathspec==0.10.3
-pyyaml==5.4.1
+pyyaml==6.0.2
 ruamel.yaml==0.18.5 # MIT
 subprocess-tee==0.4.1 # MIT, used by ansible-compat
 # https://packages.ubuntu.com/noble/python3-wcmatch
 # https://packages.fedoraproject.org/pkgs/python-wcmatch/python3-wcmatch/
 wcmatch==8.1.2; python_version < '3.12' # EPEL 8
 wcmatch==8.5.0; python_version >= '3.12'
-yamllint == 1.30.0
+yamllint == 1.34.0
diff --git a/.vault_pass b/.vault_pass
new file mode 100644
index 0000000000..c2afca48e0
--- /dev/null
+++ b/.vault_pass
@@ -0,0 +1 @@
+secret123
diff --git a/ansible.cfg b/ansible.cfg
index 3b5eeca7ef..da8921fba4 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,2 +1,4 @@
 [defaults]
 collections_path = collections:examples/playbooks/collections
+# to avoid accidental use of vault from user environment:
+vault_password_file = .vault_pass
diff --git a/src/ansiblelint/schemas/__store__.json b/src/ansiblelint/schemas/__store__.json
index 377e224f1b..fb61accc27 100644
--- a/src/ansiblelint/schemas/__store__.json
+++ b/src/ansiblelint/schemas/__store__.json
@@ -24,7 +24,7 @@
     "url": "https://raw.githubusercontent.com/ansible/ansible-lint/main/src/ansiblelint/schemas/inventory.json"
   },
   "meta": {
-    "etag": "33b882f8306af33fd7983a5a837308926d2d862903404b9eea71a73e8b37eb38",
+    "etag": "6d6a0bc70042a1ad7341ae6b0de05136a1ebba521ee7ab3972c1a2574ff7d2c6",
     "url": "https://raw.githubusercontent.com/ansible/ansible-lint/main/src/ansiblelint/schemas/meta.json"
   },
   "meta-runtime": {
diff --git a/test/test_schemas.py b/test/test_schemas.py
index d9c32e04c2..e6dd373c9b 100644
--- a/test/test_schemas.py
+++ b/test/test_schemas.py
@@ -96,17 +96,17 @@ def test_spdx() -> None:
         schema = json.load(f)
         spx_enum = schema["$defs"]["SPDXLicenseEnum"]["enum"]
     if set(spx_enum) != license_ids:
-        # In absence of a
-        if os.environ.get("PIP_CONSTRAINT", "/dev/null") == "/dev/null":
+        constraints = os.environ.get("PIP_CONSTRAINT", "/dev/null")
+        if constraints.endswith(".config/constraints.txt"):
             with galaxy_json.open("w", encoding="utf-8") as f:
                 schema["$defs"]["SPDXLicenseEnum"]["enum"] = sorted(license_ids)
                 json.dump(schema, f, indent=2)
             pytest.fail(
-                "SPDX license list inside galaxy.json JSON Schema file was updated.",
+                f"SPDX license list inside galaxy.json JSON Schema file was updated. {constraints}",
             )
         else:
             warnings.warn(
-                "test_spdx failure was ignored because constraints were not pinned (PIP_CONSTRAINTS). This is expected for py310 and py-devel jobs.",
+                f"test_spdx failure was ignored because constraints were not pinned (PIP_CONSTRAINT={constraints}). This is expected for py310 and py-devel, lower jobs.",
                 category=pytest.PytestWarning,
                 stacklevel=1,
             )
diff --git a/tox.ini b/tox.ini
index 247ec006ea..9b3fc441cb 100644
--- a/tox.ini
+++ b/tox.ini
@@ -70,7 +70,11 @@ setenv =
   COVERAGE_FILE = {env:COVERAGE_FILE:{envdir}/.coverage.{envname}}
   COVERAGE_PROCESS_START={toxinidir}/pyproject.toml
   PIP_CONSTRAINT = {toxinidir}/.config/constraints.txt
-  devel,pkg,pre,py310: PIP_CONSTRAINT = /dev/null
+  UV_CONSTRAINT = {toxinidir}/.config/constraints.txt
+  devel,pkg,pre,py310,lint,hook,deps,schemas: PIP_CONSTRAINT = /dev/null
+  devel,pkg,pre,py310,lint,hook,deps,schemas: UV_CONSTRAINT = /dev/null
+  lower: PIP_CONSTRAINT = {toxinidir}/.github/lower-constraints.txt
+  lower: UV_CONSTRAINT = {toxinidir}/.github/lower-constraints.txt
   PIP_DISABLE_PIP_VERSION_CHECK = 1
   PRE_COMMIT_COLOR = always
   # Number of expected test passes, safety measure for accidental skip of
@@ -108,23 +112,15 @@ commands =
 passenv =
   {[testenv]passenv}
   PRE_COMMIT_HOME
-setenv =
-  {[testenv]setenv}
-  # avoid messing pre-commit with out own constraints
-  PIP_CONSTRAINT=
 
 [testenv:lower]
 description = Install using lower-constraints.txt file for testing oldest versions.
-setenv =
-  PIP_CONSTRAINT = {toxinidir}/.github/lower-constraints.txt
 
 [testenv:hook]
 description = Validate pre-commit hook definition
 deps = pre-commit
 commands =
   ./tools/test-hook.sh
-setenv =
-  PIP_CONSTRAINT=/dev/null
 
 [testenv:deps]
 description = Bump all test dependencies
@@ -134,9 +130,6 @@ skip_install = true
 basepython = python3.10
 deps =
   {[testenv:lint]deps}
-setenv =
-  # without his upgrade would likely not do anything
-  PIP_CONSTRAINT = /dev/null
 commands_pre =
 commands =
   -pre-commit run --all-files --show-diff-on-failure --hook-stage manual lock
@@ -178,9 +171,6 @@ commands =
 description = Rebuild and test JSON Schemas
 deps =
   check-jsonschema>=0.26.3
-setenv =
-  # without this upgrade would likely not do anything
-  PIP_CONSTRAINT = /dev/null
 skip_install = true
 changedir = test/schemas
 commands_pre =