From d75503687e073430d43e5c55e8ffb5ec5738a9a1 Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Wed, 11 Mar 2026 18:15:57 +0100
Subject: [PATCH 1/2] Pin setuptools

setuptools 82.0.0 removed pkg_resources, breaking stable jobs.
Use a temporary stable-only pin to setuptools==81.0.0.

Detail reasoning in [1].

[1] https://review.opendev.org/c/openstack/requirements/+/976227

Change-Id: If9a1842173e69145914f5d1ca6a4485e8910c258
Signed-off-by: Pierre Riteau <pierre@stackhpc.com>
(cherry picked from commit 5dd2eb9bf99e2e420853ea4ed27f6f5c3fd58b25)
(cherry picked from commit 70497e1cfae47d35a2de96d66672e7e9d27c5a27)
---
 doc/requirements.txt | 3 +++
 requirements.txt     | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/doc/requirements.txt b/doc/requirements.txt
index 51a2c6498..33ba4efa0 100644
--- a/doc/requirements.txt
+++ b/doc/requirements.txt
@@ -7,3 +7,6 @@ reno>=3.1.0 # Apache-2.0
 sphinx>=2.0.0,!=2.1.0 # BSD
 sphinxcontrib-svg2pdfconverter>=0.1.0 # BSD
 whereto>=0.3.0 # Apache-2.0
+# NOTE(priteau): pin setuptools
+# https://setuptools.pypa.io/en/stable/history.html#v82-0-0
+setuptools==81.0.0
diff --git a/requirements.txt b/requirements.txt
index 7d7ba3710..a7008bfff 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,6 @@
+# NOTE(wszumski): pin setuptools
+# https://setuptools.pypa.io/en/stable/history.html#v82-0-0
+setuptools==81.0.0
 pbr>=2.0 # Apache-2.0
 Jinja2>3 # BSD
 ansible>=8,<10 # GPLv3

From 2875bdbd7bc9a737c64ae40fb7146671b74f47cc Mon Sep 17 00:00:00 2001
From: Jake Hutchinson <jake@stackhpc.com>
Date: Wed, 30 Oct 2024 16:34:29 +0000
Subject: [PATCH 2/2] Add loop control to custom DNF repos

This avoids leaking repository credentials by suppressing the dict
output to only print the key.

Change-Id: Ic7aa0e4c4f625908aeb30de65edac8bce96af761
Related-Bug: #2087938
(cherry picked from commit a36bb614c092c147da11c20334dff6839d3c29b2)
Signed-off-by: Pierre Riteau <pierre@stackhpc.com>
---
 ansible/roles/dnf/tasks/custom-repo.yml               |  2 ++
 .../notes/dnf-loop-control-6e2c8ba1915d2631.yaml      | 11 +++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 releasenotes/notes/dnf-loop-control-6e2c8ba1915d2631.yaml

diff --git a/ansible/roles/dnf/tasks/custom-repo.yml b/ansible/roles/dnf/tasks/custom-repo.yml
index a20018e92..b7e66de76 100644
--- a/ansible/roles/dnf/tasks/custom-repo.yml
+++ b/ansible/roles/dnf/tasks/custom-repo.yml
@@ -26,6 +26,8 @@
     username: "{{ item.value.username | default(omit) }}"
     state: "{{ item.value.state | default(omit)}}"
   with_dict: "{{ dnf_custom_repos }}"
+  loop_control:
+    label: "{{ item.key }}"
   register: register_dnf_command
   retries: 3
   delay: 10
diff --git a/releasenotes/notes/dnf-loop-control-6e2c8ba1915d2631.yaml b/releasenotes/notes/dnf-loop-control-6e2c8ba1915d2631.yaml
new file mode 100644
index 000000000..38f8d257b
--- /dev/null
+++ b/releasenotes/notes/dnf-loop-control-6e2c8ba1915d2631.yaml
@@ -0,0 +1,11 @@
+---
+security:
+  - |
+    Avoid leaking DNF repository username/password credentials in the Kayobe
+    output by adding loop control to print only the repository key.
+    `LP#2087938 <https://launchpad.net/bugs/2087938>`__
+fixes:
+  - |
+    Avoid leaking DNF repository username/password credentials in the Kayobe
+    output by adding loop control to print only the repository key.
+    `LP#2087938 <https://launchpad.net/bugs/2087938>`__