Upgrade molecule scenario uses safe-upgrade instead of dist-upgrade

[emkll]

Description

Molecule upgrade logic uses safe-upgrade [1,3], whereas cron-apt logic on staging/prod instances uses a dist-upgrade[2] .
This was uncovered during the review of #4634, where the securedrop-app-code package would not upgrade using the make upgrade test-local target, and requires manually running the cron-apt command.

[1]

securedrop/molecule/upgrade/side_effect.yml

Line 9 in 20cbd52

upgrade: yes

[2]

securedrop/install_files/ansible-base/roles/common/files/5-security

Line 2 in 20cbd52

dist-upgrade -y -o APT::Get::Show-Upgraded=true -o Dir::Etc::SourceList=/etc/apt/security.list -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold

[3] https://docs.ansible.com/ansible/latest/modules/apt_module.html

Steps to Reproduce

Expected Behavior

Upgrade scenario should upgrade packages in the same way the cron-apt logic is.

Actual Behavior

Upgrade scenario uses safe-upgrade instead of dist-upgrade

Comments

Suggestions to fix, any other relevant information.

[conorsch]

Replacing the apt upgrade call with a command for cron-apt -i -s should resolve. I, too, have been running that command manually in the upgrade scenario—would be great to update the logic so it automatically does the right thing.