System and python packages should not automatically be upgraded to the latest version
Concerning these two tasks https://gitlab.com/gitlab-org/quality/gitlab-environment-toolkit/-/blob/c01ca3a616c96df0c2fb4018ddb5c8b5cc27d89b/ansible/roles/common/tasks/main.yml#L55-73, we should ensure that we don't always upgrade to the latest version on every Ansible run. This is a blocker for repeatable db provisioning
- For
apt
this means ensuring the packages are present, but not automatically upgrading them. - For Python packages installed with
pip
we should pin the versions.
More generally, when rolling out changes we need to be careful to limit them and since these two tasks are in the common
role they will be executed on every run.
cc @andrewn as this also came up for Project Horse.
Edited by John Jarvis