Fix __pub_resource_* key leakage into state functions and multifunction job targeting

- salt/state.py: add __pub_resource_targets, __pub_minion_is_target,
  __pub_resource_target, and __pub_resource_job to STATE_REQUISITE_KEYWORDS
  so they are treated as internal pub metadata and stripped before being
  passed to state module functions (e.g. git.present, ssh_known_hosts.present)
- salt/utils/minions.py: guard the _MERGE_RESOURCE_FUNS membership check
  with isinstance(fun, str) — multifunction jobs pass fun as a list which
  is not hashable, causing a TypeError swallowed by the broad except that
  returned an empty minion list and "No minions matched the target"
- tests: add test_check_minions_list_fun_still_augments covering the list
  fun case, and CI-TRACKING.md to record known failures and regression tests

Author: dwoz

salt/state.py

@@ -120,6 +120,10 @@
         "__pub_ret",
         "__pub_pid",
         "__pub_tgt_type",
+        "__pub_resource_targets",
+        "__pub_minion_is_target",
+        "__pub_resource_target",
+        "__pub_resource_job",
         "__prereq__",
         "__prerequiring__",
         "__umask__",

salt/utils/minions.py

@@ -1001,7 +1001,7 @@ def check_minions(
                 tgt_type == "glob"
                 and isinstance(expr, str)
                 and any(c in expr for c in ("*", "?", "["))
-                and fun not in _MERGE_RESOURCE_FUNS
+                and not (isinstance(fun, str) and fun in _MERGE_RESOURCE_FUNS)
             ):
                 _res["minions"] = self._augment_with_resources(_res["minions"])
             _res["ssh_minions"] = False

tests/pytests/unit/CI-TRACKING.md

@@ -0,0 +1,47 @@
+# CI Test Tracking
+
+Tests that must pass before merging. Run with:
+
+```
+source venv311/bin/activate
+python -m pytest <test> -v
+```
+
+## Tests We Own (new files)
+
+| Test file | What it covers |
+|---|---|
+| `tests/pytests/unit/utils/test_minions_resources.py` | Resource index, `check_minions` augmentation + merge-mode skip |
+| `tests/pytests/unit/test_minion_resources.py` | `_prefix_resource_state_key`, `_MERGE_RESOURCE_FUNS`, merge block branches |
+| `tests/pytests/unit/modules/test_sshresource_state.py` | `highstate()` empty-chunks return, `_exec_state_pkg` exception recovery |
+| `tests/pytests/unit/matchers/test_resource_matchers.py` | `T@` / `M@` compound matching |
+
+## Existing Tests We've Broken (fixed)
+
+| Test | Root cause | Fix |
+|---|---|---|
+| `tests/pytests/unit/states/test_saltutil.py::test_saltutil_sync_states_should_match_saltutil_module` | `sync_resources` added to module but not state | Added `sync_resources()` to `salt/states/saltutil.py` |
+| `tests/pytests/unit/client/test_netapi.py::test_run_log` | `netapi.py` changed `run()` to `asyncio.run()`, test used plain `Mock` | Changed mock to `AsyncMock` |
+| `tests/integration/minion/test_executor.py::ExecutorTest::test_executor_with_multijob` | Multifunction job passes `fun` as a list; `list not in frozenset` raises `TypeError`, caught by broad except → empty minion list | Guard with `isinstance(fun, str)` before set membership check |
+
+## Known CI Noise (not our fault)
+
+| Failure | Reason |
+|---|---|
+| Package upgrade tests (`test_salt_systemd_*_preservation`) | 502 downloading `salt-install-guide` release from GitHub — transient infra |
+| `test_tcp_client_invalid_cert_rejected` | Functional TCP SSL timeout — pre-existing flaky test |
+| `test_state.py::test_event` | `RuntimeError: There is no current event loop` — pre-existing flaky |
+
+## Quick Regression Run
+
+```bash
+source venv311/bin/activate
+python -m pytest \
+  tests/pytests/unit/utils/test_minions_resources.py \
+  tests/pytests/unit/test_minion_resources.py \
+  tests/pytests/unit/modules/test_sshresource_state.py \
+  tests/pytests/unit/matchers/test_resource_matchers.py \
+  tests/pytests/unit/states/test_saltutil.py::test_saltutil_sync_states_should_match_saltutil_module \
+  tests/pytests/unit/client/test_netapi.py::test_run_log \
+  -v
+```

tests/pytests/unit/utils/test_minions_resources.py

@@ -378,6 +378,23 @@ def test_check_minions_merge_fun_all_merge_funs_skip(ck_with_resources):
         assert "dummy-01" not in result["minions"], f"augmented for {fun}"
 
 
+def test_check_minions_list_fun_still_augments(ck_with_resources):
+    """
+    A multifunction job passes fun as a list.  A list is not hashable and must
+    not cause a TypeError — augmentation must proceed normally.
+    """
+    with patch.object(
+        ck_with_resources,
+        "_check_glob_minions",
+        return_value={"minions": ["minion"], "missing": []},
+    ):
+        result = ck_with_resources.check_minions(
+            "*", tgt_type="glob", fun=["test.arg", "test.arg"]
+        )
+    assert "dummy-01" in result["minions"]
+    assert "minion" in result["minions"]
+
+
 def test_check_minions_non_merge_fun_still_augments(ck_with_resources):
     """
     A non-merge function such as test.ping with a wildcard glob must still