From 0b914d617e716c354d54b87b42f0ef3ce6b22b19 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 19 Oct 2025 09:00:02 -0500
Subject: [PATCH] ci: Optionally allow installing packages

Usually, we do not want the continuous enforcement jobs installing or
upgrading software packages.  Sometimes, though, we may want to use a
Jenkins job to roll out something new, so this new `ALLOW_INSTALL`
parameter will control whether or not Ansible tasks tagged with
`install` are skipped.
---
 vars/applyConfigPolicy.groovy | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/vars/applyConfigPolicy.groovy b/vars/applyConfigPolicy.groovy
index 3b05d34..6a6730b 100644
--- a/vars/applyConfigPolicy.groovy
+++ b/vars/applyConfigPolicy.groovy
@@ -4,6 +4,12 @@ import org.jenkinsci.plugins.pipeline.modeldefinition.Utils
 
 def call(rw_limit, stages) {
     properties([
+        parameters([
+            booleanParam([
+                description: 'Allow installing packages',
+                name: 'ALLOW_INSTALL',
+            ]),
+        ]),
         pipelineTriggers([cron('H H * * *')])
     ])
 
@@ -85,6 +91,10 @@ def stageRemountRW(limit) {
 }
 
 def generateStages(stages) {
+    def skip_tags = []
+    if (!params.ALLOW_INSTALL) {
+        skip_tags += 'install'
+    }
     stages.each { name, playbooks ->
         stage(name) {
             playbooks.each { playbook -> 
@@ -94,7 +104,7 @@ def generateStages(stages) {
                     credentialsId: 'jenkins-cfgmgmt',
                     vaultCredentialsId: 'ansible-vault',
                     extras: '--diff',
-                    skippedTags: 'install'
+                    skippedTags: skip_tags.join(',')
             }
         }
     }