Support only_upgrade

examples/playbooks/package-check-failure.yml

@@ -19,3 +19,10 @@
         name: sudo
         state: latest
         update_only: false
+
+    - name: Install ansible with only_upgrade to false
+      ansible.builtin.apt:
+        name: sudo
+        state: latest
+        upgrade: true
+        only_upgrade: false

examples/playbooks/package-check-success.yml

@@ -20,3 +20,10 @@
         name: sudo
         state: latest
         update_only: true
+
+    - name: Upgrade ansible
+      ansible.builtin.apt:
+        name: sudo
+        state: latest
+        upgrade: true
+        only_upgrade: true

src/ansiblelint/rules/package_latest.md

@@ -7,7 +7,7 @@ In production environments, you should set `state` to `present` and specify a ta
 
 Setting `state` to `latest` not only installs software, it performs an update and installs additional packages.
 This can result in performance degradation or loss of service.
-If you do want to update packages to the latest version, you should also set the `update_only` parameter to `true` to avoid installing additional packages.
+If you do want to update packages to the latest version, you should also set the `update_only` or `only_upgrade` parameter to `true` based on package manager to avoid installing additional packages.
 
 ## Problematic Code
 
@@ -37,6 +37,12 @@ If you do want to update packages to the latest version, you should also set the
         name: sudo
         state: latest
         update_only: false # <- Updates and installs packages.
+
+    - name: Install Ansible with only_upgrade to false
+      ansible.builtin.apt:
+        name: sudo
+        state: latest
+        only_upgrade: false # <- Upgrades and installs packages
 ```
 
 ## Correct Code
@@ -68,4 +74,10 @@ If you do want to update packages to the latest version, you should also set the
         name: sudo
         state: latest
         update_only: true # <- Updates but does not install additional packages.
+
+    - name: Install Ansible with only_upgrade to false
+      ansible.builtin.apt:
+        name: sudo
+        state: latest
+        only_upgrade: true # <- Upgrades but does not install additional packages.
 ```

src/ansiblelint/rules/package_latest.py

@@ -79,5 +79,6 @@ def matchtask(
             task["action"]["__ansible_module__"] in self._package_managers
             and not task["action"].get("version")
             and not task["action"].get("update_only")
+            and not task["action"].get("only_upgrade")
             and task["action"].get("state") == "latest"
         )

test/rules/test_package_latest.py

@@ -20,4 +20,4 @@ def test_package_not_latest_negative() -> None:
     failure = "examples/playbooks/package-check-failure.yml"
     bad_runner = Runner(failure, rules=collection)
     errs = bad_runner.run()
-    assert len(errs) == 4
+    assert len(errs) == 5