fix(test): unblock cpu-usage and rpm-updates unit tests (#1071, #1072)

Both tests failed for environment reasons, not plugin regressions, and
blocked the full unit test suite on tox runs.

- cpu-usage: the regex `\d+\.\d+% -.* user:` assumed `user:` was always
  on the first output line, but when several CPU counters read `0.0%`
  the plugin's by-value sort is non-deterministic and `user:` can land
  on the second line. Relax to `(?s)\d+\.\d+%.*user:` so both layouts
  pass.
- rpm-updates: add a `--test` argument that replaces the three
  underlying `yum` calls (`list --upgrades`, `list --installed`,
  `updateinfo list --available`) with stdout fixtures. The unit test
  is now fixture-based, covers ok-no-updates / warn-pending /
  ok-pending-with-high-warn, and runs in ~0.2s instead of ~2 minutes.
  The test no longer depends on the RHEL8 test container's upstream
  mirror state (there was a pending `vim-minimal` upgrade in the
  container that made the assertion `No updates available` flip over
  time). The existing `containerfiles/` dir stays for a future
  testcontainers migration.
- tools/run-unit-tests: detect container-based tests by inspecting
  the `run` file for `podman` / `testcontainers` references instead
  of just checking for a `containerfiles/` dir. rpm-updates keeps its
  legacy containerfiles while its active `run` file is already
  fixture-based and fast.

Author: markuslf

CHANGELOG.md

@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 * `.github/workflows/docs.yml`: pin all GitHub Actions by commit SHA (with the version as a trailing comment) instead of by tag, clearing the four OpenSSF Scorecard `PinnedDependenciesID` alerts. Dependabot is already configured for `github-actions` and updates hash-pinned actions natively
 * axenita-stats: fix the version-number extraction slice `[8 : 8 + find('-') - 1]` that only worked for exactly 6-character versions like `14.0.8` and silently truncated any longer patch number. Use `split('-')[1]` instead, which handles `14.0.12`, `1.2.3`, and 2-digit majors correctly ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
+* cpu-usage: relax the unit test regex from `\d+\.\d+% -.* user:` to `(?s)\d+\.\d+%.*user:`. The old pattern assumed `user:` was always on the first output line, but when multiple CPU counters read `0.0%` the plugin's by-value sort is non-deterministic and `user:` can land on the second line. The new pattern accepts either layout ([#1071](https://github.com/Linuxfabrik/monitoring-plugins/issues/1071))
 * deb-updates: add missing `lib.txt` import so the "N update(s) available" summary no longer crashes with `AttributeError` at runtime
 * Fix `--require-hashes` pip install in pre-commit autoupdate workflow by using pinned version instead
 * fortios-network-io: make the "no warnings vs warnings present" branches structurally exclusive via an explicit `else:`. The old code relied on `lib.base.oao()` exiting to skip the follow-up call, which works but is fragile to read ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
@@ -31,9 +32,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * qts-temperatures: the `systemp` and `cputemp` perfdata entries had their `warn` / `crit` thresholds swapped (system perfdata used the CPU threshold fields and vice versa). The message text was already correct ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * redis-status, valkey-status: the `key_count` perfdata value used the loop variable `keys` (the last database's per-DB key count) instead of the accumulated `key_count` (total across all databases). The "with X keys" message text was already using `key_count` ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * rocketchat-stats: add missing `lib.txt` import so the user-count pluralization no longer crashes with `AttributeError` at runtime
+* rpm-updates: add a `--test` argument that replaces the three underlying `yum` calls with stdout fixtures (`<base>-upgrades`, `<base>-installed`, `<base>-updateinfo`). The unit test is now fixture-based, covers ok-no-updates / warn-pending / ok-pending-with-high-warn, and runs in ~0.2s instead of ~2 minutes. No longer depends on the RHEL8 test container's upstream-mirror state ([#1072](https://github.com/Linuxfabrik/monitoring-plugins/issues/1072))
 * sap-open-concur-com: `choices=services.append('All')` was effectively `choices=None` because `list.append()` returns `None`. The `--service` argument therefore accepted any value without validation. Use `choices=services + ['All']` to build a proper choices list ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * starface-java-memory-usage: the heap and non-heap state checks used `state += lib.base.get_worst(used_state, state)` which adds state integers together and corrupts the accumulated state (e.g. WARN+WARN=2 reads as CRIT, WARN+CRIT=3 is outside the valid range). Replaced with `state = lib.base.get_worst(state, used_state)` so the accumulated state remains a valid STATE_OK / STATE_WARN / STATE_CRIT value ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * tools/run-unit-tests: add `--no-container` and `--only-container` flags so container-backed unit tests (podman-driven integration suites that take minutes per plugin) can be filtered out of the fast default run. `tools/run-container-tests` is a thin wrapper around `--only-container` for the full integration sweep. `tox` now invokes `tools/run-unit-tests --no-container` so the multi-Python matrix actually completes instead of hanging / OOM-killing on the first container stage
+* tools/run-unit-tests: classify a plugin as container-based by inspecting its `run` file for `podman` / `testcontainers` references instead of just checking for a `containerfiles/` subdirectory. This lets a plugin keep its legacy containerfiles around for a future testcontainers migration while its active `run` file is already fixture-based and fast
 * tools/run-unit-tests: skip the `example` plugin in default runs. Its unit test is a template meant to be copy-pasted into new plugins and does not correspond to a real check. Explicit `python tools/run-unit-tests example` still runs it
 * tox.ini: disable the sdist build (`no_package = true`) so `tox` no longer trips over the flat top-level layout with "Multiple top-level packages discovered". The repo is a collection of plugin scripts, not a Python package
 * tuned-profile, crypto-policy: make the "expected vs actual" branches structurally exclusive via an explicit `else:`. The old code relied on `lib.base.oao()` exiting to skip the follow-up WARN call, which works but is fragile to read ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))

check-plugins/cpu-usage/unit-test/run

@@ -27,7 +27,7 @@ TESTS = [
             {
                 'run-where': 'container',  # vs. 'localhost'
                 'plugin-params': '',
-                'assert-regex': r'\d+\.\d+% -.* user:',
+                'assert-regex': r'(?s)\d+\.\d+%.*user:',
                 'assert-retc': 0,
             },
         ],
@@ -39,7 +39,7 @@ TESTS = [
             {
                 'run-where': 'container',
                 'plugin-params': '',
-                'assert-regex': r'\d+\.\d+% -.* user:',
+                'assert-regex': r'(?s)\d+\.\d+%.*user:',
                 'assert-retc': 0,
             },
         ],
@@ -51,7 +51,7 @@ TESTS = [
             {
                 'run-where': 'container',
                 'plugin-params': '',
-                'assert-regex': r'\d+\.\d+% -.* user:',
+                'assert-regex': r'(?s)\d+\.\d+%.*user:',
                 'assert-retc': 0,
             },
         ],
@@ -63,7 +63,7 @@ TESTS = [
             {
                 'run-where': 'container',
                 'plugin-params': '',
-                'assert-regex': r'\d+\.\d+% -.* user:',
+                'assert-regex': r'(?s)\d+\.\d+%.*user:',
                 'assert-retc': 0,
             },
         ],
@@ -75,7 +75,7 @@ TESTS = [
             {
                 'run-where': 'container',
                 'plugin-params': '',
-                'assert-regex': r'\d+\.\d+% -.* user:',
+                'assert-regex': r'(?s)\d+\.\d+%.*user:',
                 'assert-retc': 0,
             },
         ],
@@ -87,7 +87,7 @@ TESTS = [
             {
                 'run-where': 'container',
                 'plugin-params': '',
-                'assert-regex': r'\d+\.\d+% -.* user:',
+                'assert-regex': r'(?s)\d+\.\d+%.*user:',
                 'assert-retc': 0,
             },
         ],
@@ -99,7 +99,7 @@ TESTS = [
             {
                 'run-where': 'container',
                 'plugin-params': '',
-                'assert-regex': r'\d+\.\d+% -.* user:',
+                'assert-regex': r'(?s)\d+\.\d+%.*user:',
                 'assert-retc': 0,
             },
         ],
@@ -111,7 +111,7 @@ TESTS = [
             {
                 'run-where': 'container',
                 'plugin-params': '',
-                'assert-regex': r'\d+\.\d+% -.* user:',
+                'assert-regex': r'(?s)\d+\.\d+%.*user:',
                 'assert-retc': 0,
             },
         ],
@@ -123,7 +123,7 @@ TESTS = [
             {
                 'run-where': 'container',
                 'plugin-params': '',
-                'assert-regex': r'\d+\.\d+% -.* user:',
+                'assert-regex': r'(?s)\d+\.\d+%.*user:',
                 'assert-retc': 0,
             },
         ],
@@ -135,7 +135,7 @@ TESTS = [
             {
                 'run-where': 'container',
                 'plugin-params': '',
-                'assert-regex': r'\d+\.\d+% -.* user:',
+                'assert-regex': r'(?s)\d+\.\d+%.*user:',
                 'assert-retc': 0,
             },
         ],
@@ -147,7 +147,7 @@ TESTS = [
             {
                 'run-where': 'container',
                 'plugin-params': '',
-                'assert-regex': r'\d+\.\d+% -.* user:',
+                'assert-regex': r'(?s)\d+\.\d+%.*user:',
                 'assert-retc': 0,
             },
         ],

check-plugins/rpm-updates/rpm-updates

@@ -24,7 +24,7 @@ from lib.globals import STATE_OK, STATE_UNKNOWN
 
 
 __author__ = 'Linuxfabrik GmbH, Zurich/Switzerland'
-__version__ = '2025100601'
+__version__ = '2026041201'
 
 DESCRIPTION = """Checks for available RPM package updates on RHEL, CentOS, Fedora, and compatible
 systems. Reports the number and type of available advisories (bugfix, enhancement,
@@ -75,6 +75,13 @@ def parse_args():
         default=DEFAULT_QUERY,
     )
 
+    parser.add_argument(
+        '--test',
+        help=lib.args.help('--test'),
+        dest='TEST',
+        type=lib.args.csv,
+    )
+
     parser.add_argument(
         '--timeout',
         help=lib.args.help('--timeout') + ' Default: %(default)s (seconds)',
@@ -138,19 +145,29 @@ def get_updates(args):
     - Intended for use within a script or plugin’s `main()` function.
     """
     # get the list of updates (--assumeyes so command can import GPG keys)
-    yum_upgrades, stderr, retc = lib.base.coe(
-        lib.shell.shell_exec('yum list --assumeyes --upgrades', timeout=args.TIMEOUT),
-    )
+    if args.TEST is None:
+        yum_upgrades, stderr, retc = lib.base.coe(
+            lib.shell.shell_exec('yum list --assumeyes --upgrades', timeout=args.TIMEOUT),
+        )
+    else:
+        yum_upgrades, stderr, retc = lib.lftest.test(
+            [args.TEST[0] + '-upgrades', args.TEST[1], args.TEST[2]],
+        )
     if retc:
         lib.base.cu(f'`yum list --upgrades` returned with error {retc}: {stderr}')
     if not yum_upgrades:
         # no updates available
         lib.base.oao('No updates available.')
 
     # get the list of installed software
-    yum_installed, stderr, retc = lib.base.coe(
-        lib.shell.shell_exec('yum list --installed', timeout=args.TIMEOUT),
-    )
+    if args.TEST is None:
+        yum_installed, stderr, retc = lib.base.coe(
+            lib.shell.shell_exec('yum list --installed', timeout=args.TIMEOUT),
+        )
+    else:
+        yum_installed, stderr, retc = lib.lftest.test(
+            [args.TEST[0] + '-installed', args.TEST[1], args.TEST[2]],
+        )
     if retc or stderr:
         lib.base.cu(f'`yum list --installed` returned with error {retc}: {stderr}')
 
@@ -204,9 +221,14 @@ def get_updateinfo(args):
     #   Name               Type     Severity Package                             Issued
     #   FEDORA-2025-09f40d bugfix   Low      python3-boto3-1.38.23-1.fc42.noarch 2025-05-30 01:14:13
     #   FEDORA-2025-34e9b9 security Critical firefox-139.0-1.fc42.x86_64         2025-05-30 02:21:33
-    yum_info, stderr, retc = lib.base.coe(
-        lib.shell.shell_exec('yum updateinfo list --available', timeout=args.TIMEOUT),
-    )
+    if args.TEST is None:
+        yum_info, stderr, retc = lib.base.coe(
+            lib.shell.shell_exec('yum updateinfo list --available', timeout=args.TIMEOUT),
+        )
+    else:
+        yum_info, stderr, retc = lib.lftest.test(
+            [args.TEST[0] + '-updateinfo', args.TEST[1], args.TEST[2]],
+        )
     if retc:
         lib.base.cu(
             f'`yum updateinfo list --available` returned with error {retc}: {stderr}'