Audit CLI opts used in git states

This restricts the git state module to git 1.6.5 or later, as some of the core functionality needed for git.latest was not present before that version. This release is over 6 years old now, so this change should be safe to make. In addition, this stops git.latest from trying to use the --ff-only argument when running a git merge to fast-forward the repo, in versions where this option is not available.
2025-04-17 10:10:20 +00:00 · 2016-02-18 01:34:03 -06:00 · 2016-02-18 01:34:03 -06:00 · ca410c0a94
commit ca410c0a94
parent fe9e5d27e6
1 changed files with 23 additions and 2 deletions
--- a/salt/states/git.py
+++ b/salt/states/git.py
@ -5,6 +5,10 @@ States to manage git repositories and git configuration
 .. important::
    Before using git over ssh, make sure your remote host fingerprint exists in
    your ``~/.ssh/known_hosts`` file.
+
+.. versionchanged:: 2015.8.7
+    This state module now requires git 1.6.5 (released 10 October 2009) or
+    newer.
 '''
 from __future__ import absolute_import

@ -29,7 +33,10 @@ def __virtual__():
    '''
    Only load if git is available
    '''
-    return __salt__['cmd.has_exec']('git')
+    if 'git.version' not in __salt__:
+        return False
+    git_ver = _LooseVersion(__salt__['git.version'](versioninfo=False))
+    return git_ver >= _LooseVersion('1.6.5')


 def _revs_equal(rev1, rev2, rev_type):
@ -1122,10 +1129,24 @@ def latest(name,
                                                        ignore_retcode=True):
                            merge_rev = remote_rev if rev == 'HEAD' \
                                else desired_upstream
+
+                            if git_ver >= _LooseVersion('1.8.1.6'):
+                                # --ff-only added in version 1.8.1.6. It's not
+                                # 100% necessary, but if we can use it, we'll
+                                # ensure that the merge doesn't go through if
+                                # not a fast-forward. Granted, the logic that
+                                # gets us to this point shouldn't allow us to
+                                # attempt this merge if it's not a
+                                # fast-forward, but it's an extra layer of
+                                # protection.
+                                merge_opts = ['--ff-only']
+                            else:
+                                merge_opts = []
+
                            __salt__['git.merge'](
                                target,
                                rev=merge_rev,
-                                opts=['--ff-only'],
+                                opts=merge_opts,
                                user=user
                            )
                            comments.append(