From 49cfc59d3ab584044a0caa85dbdc3f5df94a5e8d Mon Sep 17 00:00:00 2001
From: Matt Clay <matt@mystile.com>
Date: Mon, 26 Jan 2026 16:01:16 -0800
Subject: [PATCH] [stable-2.16] Fix direct S3 link in integration tests
 (#86464) (#86468)

Also add a sanity test to prevent similar issues in the future.

(cherry picked from commit b1bc1e2513f0fe28e9fbe7e71b88d9017ff6e535)
---
 test/integration/targets/dnf/vars/main.yml |  2 +-
 test/sanity/code-smell/no-s3.json          |  4 ++++
 test/sanity/code-smell/no-s3.py            | 27 ++++++++++++++++++++++
 3 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 test/sanity/code-smell/no-s3.json
 create mode 100644 test/sanity/code-smell/no-s3.py

diff --git a/test/integration/targets/dnf/vars/main.yml b/test/integration/targets/dnf/vars/main.yml
index 3f7b43a7121..90b68562178 100644
--- a/test/integration/targets/dnf/vars/main.yml
+++ b/test/integration/targets/dnf/vars/main.yml
@@ -3,4 +3,4 @@ dnf_log_files:
     - /var/log/dnf.rpm.log
     - /var/log/dnf.librepo.log
 
-skip_broken_repo_baseurl: "https://ansible-ci-files.s3.amazonaws.com/test/integration/targets/dnf/skip-broken/RPMS/"
+skip_broken_repo_baseurl: "https://ci-files.testing.ansible.com/test/integration/targets/dnf/skip-broken/RPMS/"
diff --git a/test/sanity/code-smell/no-s3.json b/test/sanity/code-smell/no-s3.json
new file mode 100644
index 00000000000..5648429eb04
--- /dev/null
+++ b/test/sanity/code-smell/no-s3.json
@@ -0,0 +1,4 @@
+{
+    "text": true,
+    "output": "path-line-column-message"
+}
diff --git a/test/sanity/code-smell/no-s3.py b/test/sanity/code-smell/no-s3.py
new file mode 100644
index 00000000000..388e7744340
--- /dev/null
+++ b/test/sanity/code-smell/no-s3.py
@@ -0,0 +1,27 @@
+"""
+Disallow direct linking to S3 buckets.
+S3 buckets should be accessed through a CloudFront distribution.
+"""
+
+from __future__ import annotations
+
+import re
+import sys
+
+
+def main():
+    """Main entry point."""
+    for path in sys.argv[1:] or sys.stdin.read().splitlines():
+        with open(path, 'rb') as path_fd:
+            for line, b_text in enumerate(path_fd.readlines()):
+                try:
+                    text = b_text.decode()
+                except UnicodeDecodeError:
+                    continue
+
+                if match := re.search(r'(http.*?s3\..*?amazonaws\.com)', text):
+                    print(f'{path}:{line + 1}:{match.start(1) + 1}: use a CloudFront distribution instead of an S3 bucket: {match.group(1)}')
+
+
+if __name__ == '__main__':
+    main()