From 3bf795f69f707fd2423c6286ad8b9e5a1fcf0612 Mon Sep 17 00:00:00 2001
From: "Ben D." <ben@noreply.localhost>
Date: Mon, 27 Apr 2026 19:12:29 -0700
Subject: [PATCH] Update roles/pfsense_upgrade/tasks/update_check.yml

---
 roles/pfsense_upgrade/tasks/update_check.yml | 152 ++++++++++---------
 1 file changed, 80 insertions(+), 72 deletions(-)

diff --git a/roles/pfsense_upgrade/tasks/update_check.yml b/roles/pfsense_upgrade/tasks/update_check.yml
index c607660..cbb5ce5 100644
--- a/roles/pfsense_upgrade/tasks/update_check.yml
+++ b/roles/pfsense_upgrade/tasks/update_check.yml
@@ -1,16 +1,38 @@
 ---
 # roles/pfsense_upgrade/tasks/update_check.yml
 # Dynamic upgrade detection using pfSense repository system
+# Works with tcsh default shell on pfSense
 
 # ---------------------------------------------------------------------------
 # 1. Detect available repositories and identify upgrade target
 # ---------------------------------------------------------------------------
-- name: List available pfSense repositories
+- name: Create temporary PHP script for repo detection
   ansible.builtin.raw: |
-    php -r 'require_once("/etc/inc/pkg-utils.inc"); $repos = pkg_list_repos(); $upgrade = ""; foreach($repos as $r) { if (!isset($r["default"])) { echo $r["name"] . "|" . $r["descr"]; break; } } echo $upgrade ?: "UP_TO_DATE";'
+    cat > /tmp/check_repo.php << 'PHPEOF'
+    <?php
+    require_once('/etc/inc/pkg-utils.inc');
+    $repos = pkg_list_repos();
+    $upgrade = '';
+    foreach($repos as $r) {
+        if (!isset($r['default'])) {
+            echo $r['name'] . '|' . $r['descr'];
+            exit;
+        }
+    }
+    echo 'UP_TO_DATE';
+    PHPEOF
+  register: _create_script
+  changed_when: false
+
+- name: Execute the repository check
+  ansible.builtin.raw: /bin/sh -c "php /tmp/check_repo.php"
   register: _repo_check
   changed_when: false
 
+- name: Remove temporary script
+  ansible.builtin.raw: rm -f /tmp/check_repo.php
+  changed_when: false
+
 - name: Parse repository check result
   ansible.builtin.set_fact:
     _repo_result: "{{ _repo_check.stdout | trim }}"
@@ -25,32 +47,67 @@
 # ---------------------------------------------------------------------------
 # 2. Get current version information
 # ---------------------------------------------------------------------------
-- name: Get current pfSense version
+- name: Create temp script for version detection
   ansible.builtin.raw: |
-    php -r 'require_once("/etc/inc/pkg-utils.inc"); $v = get_system_pkg_version(false); echo $v["installed_version"] ?? "Unknown";'
+    cat > /tmp/get_version.php << 'PHPEOF'
+    <?php
+    require_once('/etc/inc/pkg-utils.inc');
+    $v = get_system_pkg_version(false);
+    echo $v['installed_version'] ?? 'Unknown';
+    PHPEOF
+
+- name: Execute version check
+  ansible.builtin.raw: /bin/sh -c "php /tmp/get_version.php"
   register: _current_version
   changed_when: false
 
+- name: Clean up version script
+  ansible.builtin.raw: rm -f /tmp/get_version.php
+  changed_when: false
+
 - name: Set current version fact
   ansible.builtin.set_fact:
     pfsense_current_version: "{{ _current_version.stdout | trim }}"
-    upgrade_available: "{{ _upgrade_available }}"
+    upgrade_available: "{{ _upgrade_available | default(false) }}"
 
 # ---------------------------------------------------------------------------
 # 3. Get current repository name
 # ---------------------------------------------------------------------------
-- name: Get current default repository
+- name: Create temp script for current repo detection
   ansible.builtin.raw: |
-    php -r 'require_once("/etc/inc/pkg-utils.inc"); foreach(pkg_list_repos() as $r) { if (isset($r["default"])) { echo $r["name"]; } }'
+    cat > /tmp/get_repo.php << 'PHPEOF'
+    <?php
+    require_once('/etc/inc/pkg-utils.inc');
+    foreach(pkg_list_repos() as $r) {
+        if (isset($r['default'])) {
+            echo $r['name'];
+            exit;
+        }
+    }
+    PHPEOF
+
+- name: Execute current repo check
+  ansible.builtin.raw: /bin/sh -c "php /tmp/get_repo.php"
   register: _current_repo
   changed_when: false
 
+- name: Clean up repo script
+  ansible.builtin.raw: rm -f /tmp/get_repo.php
+  changed_when: false
+
 - name: Set current repo fact
   ansible.builtin.set_fact:
-    current_repo: "{{ _current_repo.stdout | trim }}"
+    current_repo: "{{ _current_repo.stdout | trim | default('Unknown') }}"
 
 # ---------------------------------------------------------------------------
-# 4. Display upgrade status report
+# 4. Extract current branch from version (e.g., "26.03" from "26.03-RELEASE")
+# ---------------------------------------------------------------------------
+- name: Extract major.minor branch from version
+  ansible.builtin.set_fact:
+    pfsense_major_minor: "{{ pfsense_current_version.split('-')[0] }}"
+
+# ---------------------------------------------------------------------------
+# 5. Display upgrade status report
 # ---------------------------------------------------------------------------
 - name: Display upgrade status report
   ansible.builtin.debug:
@@ -59,6 +116,7 @@
       - " Update Status: {{ inventory_hostname }}"
       - "============================================================"
       - " Current version  : {{ pfsense_current_version }}"
+      - " Current branch   : {{ pfsense_major_minor }}"
       - " Current repo     : {{ current_repo }}"
       - "------------------------------------------------------------"
       - " Upgrade available: {{ 'YES — ' ~ upgrade_target_repo ~ ' (' ~ upgrade_target_description ~ ')' if upgrade_available else 'NO — System is up to date' }}"
@@ -66,73 +124,23 @@
       - " perform_upgrade  : {{ perform_upgrade | bool }}"
       - "============================================================"
 
+# ---------------------------------------------------------------------------
+# 6. Warnings based on upgrade availability
+# ---------------------------------------------------------------------------
 - name: Warn if perform_upgrade is false but upgrade is available
-  ansible.builtin.debug:
-    msg: >
+  ansible.builtn.debug:
+    msg: |
       DRY RUN — Upgrade to {{ upgrade_target_repo }} is available but perform_upgrade=false.
       Re-run with -e "perform_upgrade=true" to apply.
   when:
     - upgrade_available | bool
     - not (perform_upgrade | bool)
-    
-# ---------------------------------------------------------------------------
-# 5. Compare branches — detect if a newer stable branch exists upstream
-# ---------------------------------------------------------------------------
-- name: Determine if a newer major release branch is available
+
+- name: Display up-to-date message
+  ansible.builtin.debug:
+    msg: "System is up to date — no upgrade available"
+  when: not upgrade_available
+
+- name: Set facts for downstream tasks (compatibility with existing verify.yml)
   ansible.builtin.set_fact:
-    new_major_release_available: >-
-      {{
-        upstream_fetch_ok | bool and
-        (upstream_major_minor | string) != (pfsense_major_minor | string) and
-        (upstream_major_minor.split('.')[0] | int > pfsense_major_minor.split('.')[0] | int) or
-        (upstream_major_minor.split('.')[0] | int == pfsense_major_minor.split('.')[0] | int and
-         upstream_major_minor.split('.')[1] | int > pfsense_major_minor.split('.')[1] | int)
-      }}
-  when: upstream_fetch_ok | bool
-
-- name: Default new_major_release_available when fetch failed
-  ansible.builtin.set_fact:
-    new_major_release_available: false
-  when: not (upstream_fetch_ok | bool)
-
-# ---------------------------------------------------------------------------
-# 6. Print the full update status report
-# ---------------------------------------------------------------------------
-- name: Display update status report
-  ansible.builtin.debug:
-    msg:
-      - "============================================================"
-      - " Update Status: {{ inventory_hostname }}"
-      - "============================================================"
-      - " Current version  : {{ pfsense_current_version }}"
-      - " Current branch   : {{ pfsense_major_minor }}"
-      - "------------------------------------------------------------"
-      - " In-branch update : {{ 'YES — ' ~ upgrade_available_version if upgrade_available | bool else 'No — already up to date' }}"
-      - " Outdated pkgs    : {{ pkg_outdated_count }} package(s) behind"
-      - "------------------------------------------------------------"
-      - " Upstream latest  : {{ upstream_version if upstream_fetch_ok | bool else 'Could not reach upstream' }}"
-      - " Upstream branch  : {{ upstream_major_minor if upstream_fetch_ok | bool else 'N/A' }}"
-      - " New branch avail : {{ 'YES — ' ~ upstream_version if new_major_release_available | bool else 'No' }}"
-      - "------------------------------------------------------------"
-      - " perform_upgrade  : {{ perform_upgrade | bool }}"
-      - " allow_major_upg  : {{ allow_major_upgrade | bool }}"
-      - "============================================================"
-
-- name: Warn if a new major release branch is available but not allowed
-  ansible.builtin.debug:
-    msg: >
-      WARNING: pfSense {{ upstream_version }} is available on branch {{ upstream_major_minor }},
-      which is newer than your running branch {{ pfsense_major_minor }}.
-      To upgrade across branches, re-run with: -e "perform_upgrade=true allow_major_upgrade=true"
-  when:
-    - new_major_release_available | bool
-    - not (allow_major_upgrade | bool)
-
-- name: Warn if perform_upgrade is false but upgrades are available
-  ansible.builtin.debug:
-    msg: >
-      DRY RUN — upgrades are available but perform_upgrade=false.
-      Re-run with -e "perform_upgrade=true" to apply.
-  when:
-    - (upgrade_available | bool) or (pkg_outdated_count | int > 0)
-    - not (perform_upgrade | bool)
\ No newline at end of file
+    upgrade_available_version: "{{ upgrade_target_repo | default('') }}"
\ No newline at end of file