DRAFT: Updates for St2 3.10

[nzlosh]

• Add support for Rocky10 and Ubuntu24.04 (Noble)
• Drop support for Rocky8 and Ubuntu20.04 (Focal)

[nzlosh]

Regenerated lockfile result

Lockfile diff: lockfiles/flake8.lock [flake8]
==                    Upgraded dependencies                     ==
  setuptools                     75.3.2       -->   75.3.4

Lockfile diff: lockfiles/black.lock [black]
==                    Upgraded dependencies                     ==
  tomli                          2.2.1        -->   2.4.0

Lockfile diff: lockfiles/pylint.lock [pylint]
==                    Upgraded dependencies                     ==
  setuptools                     75.3.2       -->   75.3.4
  tomli                          2.2.1        -->   2.4.0

Lockfile diff: lockfiles/st2.lock [st2]
==                    Upgraded dependencies                     ==
  apscheduler                    3.11.1       -->   3.11.2
  certifi                        2025.11.12   -->   2026.2.25
  charset-normalizer             3.4.4        -->   3.4.6
  gitpython                      3.1.45       -->   3.1.46
  httplib2                       0.31.0       -->   0.31.2
  icdiff                         2.0.7        -->   2.0.10
  mongoengine                    0.29.1       -->   0.29.3
  oslo-config                    9.6.0        -->   9.6.1
  packaging                      25.0         -->   26.0
  psutil                         7.1.3        -->   7.2.2
  pyasn1                         0.6.1        -->   0.6.3
  pytz                           2025.2       -->   2026.1.post1
  setuptools                     75.3.2       -->   75.3.4
  smmap                          5.0.2        -->   5.0.3
  sseclient-py                   1.8.0        -->   1.9.0
  st2-auth-ldap                  3.9.dev0     -->   3.10.dev0
  st2-rbac-backend               3.9.dev0     -->   3.10.dev0
  tomli                          2.3.0        -->   2.4.0
  tzdata                         2025.2       -->   2025.3
  wcwidth                        0.2.14       -->   0.6.0

Lockfile diff: lockfiles/bandit.lock [bandit]
==                    Upgraded dependencies                     ==
  gitpython                      3.1.45       -->   3.1.46
  pbr                            7.0.1        -->   7.0.3
  rich                           14.1.0       -->   14.3.3
  setuptools                     75.3.2       -->   75.3.4
  smmap                          5.0.2        -->   5.0.3

Lockfile diff: lockfiles/twine.lock [twine]
==                    Upgraded dependencies                     ==
  certifi                        2025.8.3     -->   2026.2.25
  charset-normalizer             3.4.3        -->   3.4.6
  idna                           3.10         -->   3.11
  nh3                            0.3.0        -->   0.3.3
  rich                           14.1.0       -->   14.3.3

Lockfile diff: lockfiles/pants-plugins.lock [pants-plugins]
==                    Upgraded dependencies                     ==
  attrs                          25.3.0       -->   25.4.0
  certifi                        2025.8.3     -->   2026.2.25
  charset-normalizer             3.4.3        -->   3.4.6
  idna                           3.10         -->   3.11
  iniconfig                      2.1.0        -->   2.3.0
  pyparsing                      3.2.5        -->   3.3.2
  tomli                          2.2.1        -->   2.4.0
  ujson                          5.11.0       -->   5.12.0
  urllib3                        2.5.0        -->   2.6.3

[nzlosh]

Comments below are from @skiedude PR to my branch:

This does not fix all unit test errors, but should fix all the jsonschema/openapi type errors.

Summary

Fixes Swagger 2.0 spec violations and test issues exposed by the openapi-spec-validator 0.5.7 → 0.7.2 upgrade

st2common/st2common/openapi.yaml and st2common/st2common/openapi.yaml.j2

Both files receive identical changes (.j2 is the Jinja2 template that generates the .yaml):

• AliasExecution.execution — Changed from invalid {type: object, properties: {$ref: '#/definitions/Execution/properties'}} to {$ref: '#/definitions/Execution'}. The old form used a $ref as a dict key inside properties, which
  is invalid in Swagger 2.0.
• ActionAlias.formats.items — Removed oneOf combinator (OpenAPI 3.0 only); replaced with items: {}.
• PolicyList response items — Removed accidental YAML list syntax (- $ref: ...) that made items an array instead of a schema object.
• auth-token-cookie security definition — Changed in: cookie (OpenAPI 3.0 only) to in: header with an x-in: cookie extension so the router can still extract the cookie token without breaking the spec.
• NotificationPropertySubSchema.routes and .channels items — Added x-nullable: true to allow None values that appear in real execution response data (surfaced by the AliasExecution.execution fix enabling proper response
  validation).
• Execution.action and Execution.runner — Changed from $ref: '#/definitions/Action' / $ref: '#/definitions/RunnerType' to type: object. Embedded action/runner data in an execution is a partial snapshot, not a full resource, so
  enforcing required fields from those definitions was wrong. Consistent with how rule, trigger, etc. are already type: object in Execution.

st2common/st2common/router.py

Updated the apiKey auth handler to read x-in before falling back to in, enabling in: header + x-in: cookie to work for cookie-based auth.

st2common/st2common/util/schema/__init__.py

In jsonschema ≥ 4.18 the referencing library resolves $ref: "http://json-schema.org/draft-04/schema#" to the official draft-04 meta-schema, which requires required to be an array. ST2's custom schemas use Draft 3-style boolean
required, which previously worked because the old RefResolver resolved that URI to custom.json (the CustomValidator meta-schema) instead. Fixed by building a referencing.Registry that maps the draft-04 URI back to custom.json
and passing it into every jsonschema.validate() call via kwargs.setdefault("registry", _LOCAL_SCHEMA_REGISTRY).

st2api/tests/unit/controllers/v1/test_rules.py

test_update_rule_no_data — Changed assertEqual on the exact required-property name to assertIn("is a required property", ...). The upgraded jsonschema's best_match() picks a different error depending on schema complexity.

st2common/tests/unit/test_util_output_schema.py

test_invalid_runner_schema — Changed assertEqual on the error string to assertIn. The new jsonschema version uses insertion-order for schema keys in error messages rather than alphabetical, breaking the hardcoded string match.

(Made with the help of claude code)