Fix workload identity project updates

[melissalkelly]

SUMMARY

Fix workload identity credentials for project updates with non-insights SCM types.

Project updates using OIDC workload identity credentials (e.g., retrieving git passwords from HashiCorp Vault) were failing with "Token, Username/Password, AppRole, Kubernetes, or TLS authentication parameters must be set" because:

1. build_credentials_list() only returned credentials for scm_type == 'insights', preventing populate_workload_identity_tokens() from generating tokens for git/svn/archive projects
2. build_passwords() used project_update.credential (fresh DB instance without context) instead of the credential from self._credentials (which contains the populated workload identity token context)

Changes:

• Remove insights-only restriction in RunProjectUpdate.build_credentials_list()
• Use credential from self._credentials in RunProjectUpdate.build_passwords() to preserve the token context

ISSUE TYPE

• Bug, Docs Fix or other nominal change

COMPONENT NAME

• API

STEPS TO REPRODUCE AND EXTRA INFO

See AAP-67476 for details and linked testing PR

Summary by CodeRabbit

• Bug Fixes
  • Improved credential resolution for source control management (SCM) operations to properly identify and apply stored credentials during project updates, ensuring the correct credentials are used regardless of configuration complexity.
  • Enhanced credential list handling to work consistently across all SCM types, removing previous limitations that restricted credential processing only to specific source control configurations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 73e83f59-f091-4e37-99f4-8c2513502e65

📥 Commits

Reviewing files that changed from the base of the PR and between cd7f6f6 and 66bfecd.

📒 Files selected for processing (1)

• awx/main/tasks/jobs.py

---

📝 Walkthrough

Walkthrough

Changes to RunProjectUpdate in job tasks modify credential sourcing behavior: SCM credential values are now resolved via instance credentials when available instead of direct access, and the credentials list is now built unconditionally of SCM type rather than only for 'insights' type.

Changes

Cohort / File(s)	Summary
Credential Resolution awx/main/tasks/jobs.py	Modified build_passwords to source SCM credential values from self._credentials when self.instance is set (matching by credential PK). Updated build_credentials_list to return credentials unconditionally of scm_type, previously only for scm_type == 'insights'.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix workload identity project updates' clearly summarizes the main change: fixing issues with workload identity credentials in project updates for non-insights SCM types.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
54.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[PabloHiro]

LGTM, I think it can be merged as is, but some clarification on the change might be helpful.

[PabloHiro]

I am quite sure whoever reads this in 1 month is gonna struggle to understand this chunk of code, so I think it is worth putting a comment. Thoughts?

Suggested change

	if self.instance:
	# Retrieve in-memory project_update.credential that has its context populated.
	# Fallback to the DB resource if not available.
	if self.instance: