[PR #12097/850ef03f backport][stable-13] snap: enforce hold when installing at a specific revision (#12101)

snap: enforce hold when installing at a specific revision (#12097) * snap: enforce hold when installing at a specific revision When `revision` is specified, run `snap refresh --hold` after install/refresh to actually pin the snap and prevent automatic updates from overriding it. Detects hold-mismatch idempotently via the Notes column of `snap list`. Fixes #12088 * feat(changelog): add fragment for snap hold fix (#12097) * test(snap): remove incorrect manual-refresh assertion from hold test snap refresh --hold only blocks the snapd auto-refresh daemon; a manual snap refresh bypasses the hold. Remove the block that ran snap refresh manually and asserted the revision was unchanged. * snap: add bare-refresh hold test and docs warning for manual refresh bypass --------- (cherry picked from commit 850ef03fe7) Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-30 07:50:43 +00:00 · 2026-05-25 15:58:44 +02:00 · 2026-05-25 15:58:44 +02:00 · f074ca9b05
commit f074ca9b05
parent 62e60952e7
4 changed files with 75 additions and 6 deletions
--- a/tests/integration/targets/snap/tasks/test_revision.yml
+++ b/tests/integration/targets/snap/tasks/test_revision.yml
@ -28,6 +28,16 @@
      - install_revision is changed
      - install_revision_again is not changed

+- name: Verify snap is held after revision install
+  ansible.builtin.command: snap list uhttpd
+  register: snap_list_after_install
+  changed_when: false
+
+- name: Assert snap is held
+  assert:
+    that:
+      - "'held' in snap_list_after_install.stdout"
+
 - name: Install different revision (uhttpd rev 45)
  community.general.snap:
    name: uhttpd
@ -40,6 +50,33 @@
    that:
      - install_different_revision is changed

+- name: Verify snap is still held after switching revision
+  ansible.builtin.command: snap list uhttpd
+  register: snap_list_after_switch
+  changed_when: false
+
+- name: Assert snap is still held
+  assert:
+    that:
+      - "'held' in snap_list_after_switch.stdout"
+
+- name: Run bare snap refresh to verify hold prevents auto-update
+  ansible.builtin.command: snap refresh
+  register: bare_snap_refresh
+  changed_when: false
+  failed_when: false
+
+- name: Verify snap is still at revision 45 after bare snap refresh
+  ansible.builtin.command: snap list uhttpd
+  register: snap_list_after_bare_refresh
+  changed_when: false
+
+- name: Assert snap did not update past the held revision
+  assert:
+    that:
+      - "'45' in snap_list_after_bare_refresh.stdout"
+      - "'held' in snap_list_after_bare_refresh.stdout"
+
 - name: Remove package (uhttpd)
  community.general.snap:
    name: uhttpd