When someone is manually building collections, *any files* in the repository directory that are *not* explicitly excluded via the ``build_ignore`` list in the ``galaxy.yml`` file will be included in the ``.tar.gz`` file which may include the user's Ansible Galaxy API key, any secrets in ``ansible`` or ``ansible-playbook`` verbose output without ``no_log`` redaction, or any other secrets that a developer unknowingly places in the repository directory while developing and testing the collection. Once published, anyone who downloads or installs the collection will possess the secrets.
Analysis is complete for Ansible components and found to be a valid security bug. Required trackers have been created.
Created ansible tracking bugs for this issue:
Affects: epel-all [bug 2022836]
Affects: fedora-all [bug 2022835]
Affects: openstack-rdo [bug 2022837]