From 77339209d8f1e52f991b1fa20ae017cf5e532ede Mon Sep 17 00:00:00 2001
From: Lukas Audzevicius <laudzevicius24@hotmail.com>
Date: Tue, 16 Jun 2026 14:31:49 +0100
Subject: [PATCH 1/2] (CAT-2665) Roll out safe fork CI integration

Run pdk update to pick up fork_ci_label_guard.yml and the pull_request_target
trigger/guard conditions in ci.yml. Restore the module-specific
--nightly --arch-exclude arm flags dropped by the template, and mark
ci.yml and nightly.yml as unmanaged in .sync.yml to preserve them on
future pdk updates.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml                  | 23 ++++++++--
 .github/workflows/fork_ci_label_guard.yml | 12 +++++
 .rubocop.yml                              | 53 ++++++++++++-----------
 .sync.yml                                 |  4 +-
 Gemfile                                   | 28 +++++++-----
 metadata.json                             |  4 +-
 spec/spec_helper.rb                       |  2 +-
 7 files changed, 82 insertions(+), 44 deletions(-)
 create mode 100644 .github/workflows/fork_ci_label_guard.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c236bbc2..e6caf5ba 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,15 +4,32 @@ on:
   pull_request:
     branches:
       - "main"
+  pull_request_target:
+    types: [labeled, reopened]
+    branches:
+      - "main"
   workflow_dispatch:
-    
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   Spec:
+    if: github.event_name != 'pull_request_target'
     uses: "puppetlabs/cat-github-actions/.github/workflows/module_ci.yml@main"
-    secrets: "inherit"
 
   Acceptance:
-    needs: Spec
+    if: >-
+      github.event_name == 'workflow_dispatch' ||
+      (github.event_name == 'pull_request' &&
+       github.event.pull_request.head.repo.fork == false) ||
+      (github.event_name == 'pull_request_target' &&
+       github.event.pull_request.head.repo.fork == true &&
+       contains(github.event.pull_request.labels.*.name, 'allowed-for-ci'))
     uses: "puppetlabs/cat-github-actions/.github/workflows/module_acceptance.yml@main"
     with:
       flags: "--nightly --arch-exclude arm"
diff --git a/.github/workflows/fork_ci_label_guard.yml b/.github/workflows/fork_ci_label_guard.yml
new file mode 100644
index 00000000..027fbe34
--- /dev/null
+++ b/.github/workflows/fork_ci_label_guard.yml
@@ -0,0 +1,12 @@
+name: "Fork CI Label Guard"
+
+on:
+  pull_request_target:
+    types: [synchronize, closed]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  strip:
+    uses: "puppetlabs/cat-github-actions/.github/workflows/fork_ci_label_guard.yml@main"
diff --git a/.rubocop.yml b/.rubocop.yml
index 660ab816..54f68340 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -1,7 +1,10 @@
 ---
-require:
+plugins:
 - rubocop-performance
 - rubocop-rspec
+- rubocop-rspec_rails
+- rubocop-factory_bot
+- rubocop-capybara
 AllCops:
   NewCops: enable
   DisplayCopNames: true
@@ -32,6 +35,12 @@ Capybara/CurrentPathExpectation:
   Enabled: false
 Capybara/VisibilityMatcher:
   Enabled: false
+FactoryBot/AttributeDefinedStatically:
+  Enabled: false
+FactoryBot/CreateList:
+  Enabled: false
+FactoryBot/FactoryClassName:
+  Enabled: false
 Gemspec/DuplicatedAssignment:
   Enabled: false
 Gemspec/OrderedDependencies:
@@ -514,8 +523,6 @@ RSpec/BeEql:
   Enabled: false
 RSpec/BeforeAfterAll:
   Enabled: false
-RSpec/Capybara/FeatureMethods:
-  Enabled: false
 RSpec/ContainExactly:
   Enabled: false
 RSpec/ContextMethod:
@@ -530,6 +537,8 @@ RSpec/DescribeSymbol:
   Enabled: false
 RSpec/DescribedClass:
   Enabled: false
+RSpec/Dialect:
+  Enabled: false
 RSpec/EmptyExampleGroup:
   Enabled: false
 RSpec/EmptyHook:
@@ -558,12 +567,6 @@ RSpec/ExpectInHook:
   Enabled: false
 RSpec/ExpectOutput:
   Enabled: false
-RSpec/FactoryBot/AttributeDefinedStatically:
-  Enabled: false
-RSpec/FactoryBot/CreateList:
-  Enabled: false
-RSpec/FactoryBot/FactoryClassName:
-  Enabled: false
 RSpec/FilePath:
   Enabled: false
 RSpec/Focus:
@@ -1028,6 +1031,12 @@ Capybara/SpecificFinders:
   Enabled: false
 Capybara/SpecificMatcher:
   Enabled: false
+FactoryBot/ConsistentParenthesesStyle:
+  Enabled: false
+FactoryBot/FactoryNameStyle:
+  Enabled: false
+FactoryBot/SyntaxMethods:
+  Enabled: false
 Gemspec/DeprecatedAttributeAssignment:
   Enabled: false
 Gemspec/DevelopmentDependencies:
@@ -1152,28 +1161,12 @@ RSpec/DuplicatedMetadata:
   Enabled: false
 RSpec/ExcessiveDocstringSpacing:
   Enabled: false
-RSpec/FactoryBot/ConsistentParenthesesStyle:
-  Enabled: false
-RSpec/FactoryBot/FactoryNameStyle:
-  Enabled: false
-RSpec/FactoryBot/SyntaxMethods:
-  Enabled: false
 RSpec/IdenticalEqualityAssertion:
   Enabled: false
 RSpec/NoExpectationExample:
   Enabled: false
 RSpec/PendingWithoutReason:
   Enabled: false
-RSpec/Rails/AvoidSetupHook:
-  Enabled: false
-RSpec/Rails/HaveHttpStatus:
-  Enabled: false
-RSpec/Rails/InferredSpecType:
-  Enabled: false
-RSpec/Rails/MinitestAssertions:
-  Enabled: false
-RSpec/Rails/TravelAround:
-  Enabled: false
 RSpec/RedundantAround:
   Enabled: false
 RSpec/SkipBlockInsideExample:
@@ -1184,6 +1177,16 @@ RSpec/SubjectDeclaration:
   Enabled: false
 RSpec/VerifiedDoubleReference:
   Enabled: false
+RSpecRails/AvoidSetupHook:
+  Enabled: false
+RSpecRails/HaveHttpStatus:
+  Enabled: false
+RSpecRails/InferredSpecType:
+  Enabled: false
+RSpecRails/MinitestAssertions:
+  Enabled: false
+RSpecRails/TravelAround:
+  Enabled: false
 Security/CompoundHash:
   Enabled: false
 Security/IoMethods:
diff --git a/.sync.yml b/.sync.yml
index 53c46fd9..a72c1cfd 100644
--- a/.sync.yml
+++ b/.sync.yml
@@ -19,9 +19,9 @@ spec/spec_helper.rb:
 .github/workflows/auto_release.yml:
   unmanaged: false
 .github/workflows/ci.yml:
-  unmanaged: false
+  unmanaged: true
 .github/workflows/nightly.yml:
-  unmanaged: false
+  unmanaged: true
 .github/workflows/release.yml:
   unmanaged: false
 .travis.yml:
diff --git a/Gemfile b/Gemfile
index 95c2e90f..5409256f 100644
--- a/Gemfile
+++ b/Gemfile
@@ -38,6 +38,7 @@ end
 group :development do
   gem "json", '= 2.6.1',                         require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "json", '= 2.6.3',                         require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "json", '= 2.18.0',                        require: false if Gem::Requirement.create(['>= 4.0.0', '< 5.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "racc", '~> 1.4.0',                        require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "deep_merge", '~> 1.2.2',                  require: false
   gem "voxpupuli-puppet-lint-plugins", '~> 5.0', require: false
@@ -52,30 +53,35 @@ group :development do
   gem "pry", '~> 0.10',                          require: false
   gem "simplecov-console", '~> 0.9',             require: false
   gem "puppet-debugger", '~> 1.6',               require: false
-  gem "rubocop", '~> 1.50.0',                    require: false
-  gem "rubocop-performance", '= 1.16.0',         require: false
-  gem "rubocop-rspec", '= 2.19.0',               require: false
-  gem "rb-readline", '= 0.5.5',                  require: false, platforms: [:mswin, :mingw, :x64_mingw]
-  gem "bigdecimal", '< 3.2.2',                   require: false, platforms: [:mswin, :mingw, :x64_mingw]
+  gem "rubocop", '~> 1.73.0',                    require: false
+  gem "rubocop-performance", '~> 1.24.0',        require: false
+  gem "rubocop-rspec", '~> 3.5.0',               require: false
+  gem "rubocop-rspec_rails", '~> 2.31.0',        require: false
+  gem "rubocop-factory_bot", '~> 2.27.0',        require: false
+  gem "rubocop-capybara", '~> 2.22.0',           require: false
+  gem "rb-readline", '= 0.5.5',                  require: false, platforms: [:windows]
+  gem "bigdecimal", '< 3.2.2',                   require: false, platforms: [:windows]
   gem "ruby-pwsh",                               require: false
 end
 group :development, :release_prep do
-  gem "puppet-strings", '~> 4.0',         require: false
-  gem "puppetlabs_spec_helper", '~> 8.0', require: false
-  gem "puppet-blacksmith", '~> 7.0',      require: false
+  gem "puppet-strings", '~> 4.0',              require: false
+  gem "puppetlabs_spec_helper", '~> 8.0',      require: false
+  gem "puppet-blacksmith", '>= 7.0', '< 10.0', require: false
 end
 group :system_tests do
-  gem "puppet_litmus", '~> 2.0',   require: false, platforms: [:ruby, :x64_mingw] if !ENV['PUPPET_FORGE_TOKEN'].to_s.empty?
-  gem "puppet_litmus", '~> 1.0',   require: false, platforms: [:ruby, :x64_mingw] if ENV['PUPPET_FORGE_TOKEN'].to_s.empty?
-  gem "CFPropertyList", '< 3.0.7', require: false, platforms: [:mswin, :mingw, :x64_mingw]
+  gem "puppet_litmus", '~> 2.5',   require: false
+  gem "faraday", '~> 2.5',         require: false
+  gem "CFPropertyList", '< 3.0.7', require: false if RUBY_PLATFORM.include?('darwin')
   gem "serverspec", '~> 2.41',     require: false
 end
 
 gems = {}
+bolt_version = ENV.fetch('BOLT_GEM_VERSION', nil)
 puppet_version = ENV.fetch('PUPPET_GEM_VERSION', nil)
 facter_version = ENV.fetch('FACTER_GEM_VERSION', nil)
 hiera_version = ENV.fetch('HIERA_GEM_VERSION', nil)
 
+gems['bolt'] = location_for(bolt_version, nil, { source: gemsource_puppetcore })
 gems['puppet'] = location_for(puppet_version, nil, { source: gemsource_puppetcore })
 gems['facter'] = location_for(facter_version, nil, { source: gemsource_puppetcore })
 gems['hiera'] = location_for(hiera_version, nil, {}) if hiera_version
diff --git a/metadata.json b/metadata.json
index 23b35f1f..ea431f3d 100644
--- a/metadata.json
+++ b/metadata.json
@@ -74,7 +74,7 @@
       "version_requirement": ">= 8.0.0 < 9.0.0"
     }
   ],
-  "pdk-version": "3.5.0",
+  "pdk-version": "3.7.0",
   "template-url": "https://github.com/puppetlabs/pdk-templates.git#main",
-  "template-ref": "heads/main-0-g19976cd"
+  "template-ref": "heads/main-0-g6420755"
 }
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index ae7c1f68..2f7fdae3 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -26,7 +26,7 @@
 
   begin
     require 'deep_merge'
-    default_facts.deep_merge!(YAML.safe_load(File.read(f), permitted_classes: [], permitted_symbols: [], aliases: true))
+    default_facts.deep_merge!(YAML.safe_load_file(f, permitted_classes: [], permitted_symbols: [], aliases: true))
   rescue StandardError => e
     RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}"
   end

From 38781c9b52a2e0e79e5cae230bb22c6f84702f18 Mon Sep 17 00:00:00 2001
From: Lukas Audzevicius <laudzevicius24@hotmail.com>
Date: Tue, 16 Jun 2026 15:28:56 +0100
Subject: [PATCH 2/2] Fix obsolete RSpec/FilePath cop in .rubocop.yml

rubocop-rspec 3.x split RSpec/FilePath into RSpec/SpecFilePathFormat
and RSpec/SpecFilePathSuffix; replace the old entry with both new cops
disabled to match the existing intent.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .rubocop.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index 54f68340..bd1e28f4 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -567,7 +567,9 @@ RSpec/ExpectInHook:
   Enabled: false
 RSpec/ExpectOutput:
   Enabled: false
-RSpec/FilePath:
+RSpec/SpecFilePathFormat:
+  Enabled: false
+RSpec/SpecFilePathSuffix:
   Enabled: false
 RSpec/Focus:
   Enabled: false