No InventoryUpdates when source Project is failed (#13063)

Previously, in some cases, an InventoryUpdate sourced by an SCM project would still run and be successful even after the project it is sourced from failed to update. This would happen because the InventoryUpdate would revert the project back to its last working revision. This behavior is confusing and inconsistent with how we handle jobs (which just refuse to launch when the project is failed). This change pulls out the logic that the job launch serializer and RunJob#pre_run_hook had implemented (independently) to check if the project is in a failed state, and puts it into a method on the Project model. This is then checked in the project launch serializer as well as the inventory update serializer, along with SourceControlMixin#sync_and_copy as a fallback for things that don't run the serializer validation (such as scheduled jobs and WFJT jobs). Signed-off-by: Rick Elrod <rick@elrod.me>
2026-04-09 12:09:20 -02:30 · 2022-11-03 13:23:34 -05:00
parent 75e6366c5e
commit 1c65339a24
4 changed files with 42 additions and 15 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -2221,6 +2221,15 @@ class InventorySourceUpdateSerializer(InventorySourceSerializer):
    class Meta:
        fields = ('can_update',)

+    def validate(self, attrs):
+        project = self.instance.source_project
+        if project:
+            failed_reason = project.get_reason_if_failed()
+            if failed_reason:
+                raise serializers.ValidationError(failed_reason)
+
+        return super(InventorySourceUpdateSerializer, self).validate(attrs)
+

 class InventoryUpdateSerializer(UnifiedJobSerializer, InventorySourceOptionsSerializer):

@@ -4272,17 +4281,10 @@ class JobLaunchSerializer(BaseSerializer):
        # Basic validation - cannot run a playbook without a playbook
        if not template.project:
            errors['project'] = _("A project is required to run a job.")
-        elif template.project.status in ('error', 'failed'):
-            errors['playbook'] = _("Missing a revision to run due to failed project update.")
-
-            latest_update = template.project.project_updates.last()
-            if latest_update is not None and latest_update.failed:
-                failed_validation_tasks = latest_update.project_update_events.filter(
-                    event='runner_on_failed',
-                    play="Perform project signature/checksum verification",
-                )
-                if failed_validation_tasks:
-                    errors['playbook'] = _("Last project update failed due to signature validation failure.")
+        else:
+            failure_reason = template.project.get_reason_if_failed()
+            if failure_reason:
+                errors['playbook'] = failure_reason

        # cannot run a playbook without an inventory
        if template.inventory and template.inventory.pending_deletion is True:
--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@@ -2221,6 +2221,8 @@ class InventorySourceUpdateView(RetrieveAPIView):

    def post(self, request, *args, **kwargs):
        obj = self.get_object()
+        serializer = self.get_serializer(instance=obj, data=request.data)
+        serializer.is_valid(raise_exception=True)
        if obj.can_update:
            update = obj.update()
            if not update: