chef 19.2.12 → 19.3.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a348124039267c43844767273ea5e8727b35d92b641fc3e6690885947277b543
-  data.tar.gz: f85cdbe7468884cd9c80d2775a8e30ead5c2102b451bcd1d778e13b2090ceae0
+  metadata.gz: ed0f7eae7503218a435d2f704ded8090f173948c680b567931912640b7eee49d
+  data.tar.gz: 50246c34f0fd8e7a121a3e321133ddf837773f1a8709ef8d8bc0c2458f281d2d
 SHA512:
-  metadata.gz: 523e235dfa63d0f7ba8de9aee74606e13e9795e04ce18893c11298a1b1c2d08d23c03f7e8f3c0c30e297330740abaab6a74fac58b1d0338dec1f8abacecebedd
-  data.tar.gz: f7eb3b68c618206e5ba488e7eeca347f316e2e5098338eeaebeb06e37b4a37291190a5b98170006daf000f48c21c17aa4ed3c961bd478c6910d9f2de3e73534f
+  metadata.gz: f86eb78537de28cbe45c8a2b072486339c402d6e3a485faab22adf4324c5e3c55f8e353af7ef115f5975e04a2645db7911efa9746045c40cdffdcac5527c33b7
+  data.tar.gz: 63dfa9792e78efecefd529689becf43555d981a6e1ec2b961b7f12340ef92e2d0e30104c4dcb01fa6e967f79bd629f2c465e74b0a037aee95376226a5983d9eb

data/Gemfile

@@ -10,11 +10,7 @@ gem "cheffish", git: "https://github.com/chef/cheffish.git", branch: "main"
 # Using our fork until they accept it.
 gem "rest-client", git: "https://github.com/chef/rest-client", branch: "jfm/ucrt_update1"
 
-if RUBY_PLATFORM.include?("mingw") || RUBY_PLATFORM.include?("darwin")
-  gem "ffi", ">= 1.15.5", "< 1.18.0"
-else
-  gem "ffi", ">= 1.15.5", force_ruby_platform: true
-end
+gem "ffi", ">= 1.15.5", force_ruby_platform: true
 
 gem "chef-utils", path: File.expand_path("chef-utils", __dir__) if File.exist?(File.expand_path("chef-utils", __dir__))
 gem "chef-config", path: File.expand_path("chef-config", __dir__) if File.exist?(File.expand_path("chef-config", __dir__))
@@ -28,23 +24,23 @@ if File.exist?(File.expand_path("chef-bin", __dir__))
   # bundling in a git checkout
   gem "chef-bin", path: File.expand_path("chef-bin", __dir__)
 else
-  # bundling in omnibus
+  # bundling in packaging
   gem "chef-bin" # rubocop:disable Bundler/DuplicatedGem
 end
 
-group(:omnibus_package) do
+group(:packaging) do
   gem "appbundler"
   gem "rb-readline"
   gem "inspec-core-bin", "= 7.0.107" # need to provide the binaries for inspec
   gem "chef-vault"
 end
 
-gem "repl_type_completor", "~> 0.1.12" # deprecation warnings in chef-shell
+gem "repl_type_completor", "~> 0.1.15" # deprecation warnings in chef-shell
 
-group(:omnibus_package, :pry) do
+group(:packaging, :pry) do
   # Locked because pry-byebug is broken with 13+.
   # some work is ongoing? https://github.com/deivid-rodriguez/pry-byebug/issues/343
-  gem "pry", "~> 0.15.2"
+  gem "pry", "~> 0.16.0"
   # byebug does not install on freebsd on ruby 3.0
   install_if -> { !RUBY_PLATFORM.match?(/freebsd/i) } do
     gem "pry-byebug"
@@ -59,11 +55,6 @@ group(:ruby_shadow) do
   end
 end
 
-# deps that cannot be put in the knife gem because they require a compiler and fail on windows nodes
-group(:knife_windows_deps) do
-  gem "ed25519", "~> 1.2" # ed25519 ssh key support
-end
-
 group(:development, :test) do
   gem "rake", ">= 12.3.3"
   gem "rspec"
@@ -76,4 +67,8 @@ instance_eval(ENV["GEMFILE_MOD"]) if ENV["GEMFILE_MOD"]
 
 # If you want to load debugging tools into the bundle exec sandbox,
 # add these additional dependencies into Gemfile.local
-eval_gemfile("./Gemfile.local") if File.exist?("./Gemfile.local")
+#
+# But doing eval_gemfile("./Gemfile.local") breaks dependabot, so a
+# bit of indirection here
+local_gemfile = File.join(__dir__, "Gemfile.local")
+eval(File.read(local_gemfile)) if File.exist?(local_gemfile)

data/README.md

@@ -1,8 +1,13 @@
 # Chef Infra
-[![Code Climate](https://codeclimate.com/github/chef/chef.svg)](https://codeclimate.com/github/chef/chef)
+
 [![Build Status](https://badge.buildkite.com/c82093430ceec7d27af05febb9dcafe3aa331fff9d74c0ab9d.svg?branch=main)](https://buildkite.com/chef-oss/chef-chef-main-verify)
+[![lint](https://github.com/chef/chef/actions/workflows/lint.yml/badge.svg)](https://github.com/chef/chef/actions/workflows/lint.yml)
+[![kitchen](https://github.com/chef/chef/actions/workflows/kitchen.yml/badge.svg)](https://github.com/chef/chef/actions/workflows/kitchen.yml)
+[![unit_specs](https://github.com/chef/chef/actions/workflows/unit_specs.yml/badge.svg)](https://github.com/chef/chef/actions/workflows/unit_specs.yml)
+[![func_spec](https://github.com/chef/chef/actions/workflows/func_spec.yml/badge.svg)](https://github.com/chef/chef/actions/workflows/func_spec.yml)
 [![Gem Version](https://badge.fury.io/rb/chef.svg)](https://badge.fury.io/rb/chef)
 [![](https://img.shields.io/badge/Release%20Policy-Cadence%20Release-brightgreen.svg)](https://github.com/chef/chef/blob/main/docs/dev/design_documents/client_release_cadence.md)
+[![Dependabot Updates](https://github.com/chef/chef/actions/workflows/dependabot/dependabot-updates/badge.svg)](https://github.com/chef/chef/actions/workflows/dependabot/dependabot-updates)
 
 **Umbrella Project**: [Chef Infra](https://github.com/chef/chef-oss-practices/blob/main/projects/chef-infra.md)
 

data/Rakefile

@@ -25,6 +25,7 @@ begin
   require_relative "tasks/dependencies"
   require_relative "tasks/docs"
   require_relative "tasks/spellcheck"
+  require_relative "tasks/target_mode"
   require_relative "chef-utils/lib/chef-utils/dist" unless defined?(ChefUtils::Dist)
 rescue LoadError => e
   puts "Skipping missing rake dep: #{e}"

data/chef-universal-mingw-ucrt.gemspec

@@ -1,4 +1,11 @@
-gemspec = instance_eval(File.read(File.expand_path("chef.gemspec", __dir__)))
+# rubocop:disable Chef/Ruby/GemspecLicense
+# License is in the included gemspec.
+gemspec = Gem::Specification.load(File.expand_path("chef.gemspec", __dir__))
+
+# In situations like Dependabot, the above returns nil, so create an empty
+# gemspec so that the rest of this file doesn't error out trying to call
+# methods on nil
+gemspec = Gem::Specification.new unless gemspec
 
 gemspec.platform = Gem::Platform.new(%w{universal mingw-ucrt})
 
@@ -6,7 +13,7 @@ gemspec.add_dependency "win32-api", "~> 1.10.0"
 gemspec.add_dependency "win32-event", "~> 0.6.1"
 # TODO: Relax this pin and make the necessary updaets. The issue originally
 # leading to this pin has been fixed in 0.6.5.
-gemspec.add_dependency "win32-eventlog", "0.6.3"
+gemspec.add_dependency "win32-eventlog", "0.6.7"
 gemspec.add_dependency "win32-mmap", "~> 0.4.1"
 gemspec.add_dependency "win32-mutex", "~> 0.4.2"
 gemspec.add_dependency "win32-process", "~> 0.9"

data/chef.gemspec

@@ -10,8 +10,17 @@ if File.exist?(vs_path)
   $: << File.join(file_directory, "chef-utils", "lib")
 end
 # if the path doesn't exist then we're just in the wild gem and not in the git repo
-require "chef-utils/version_string"
-require "chef/version"
+begin
+  require "chef-utils/version_string"
+  require "chef/version"
+rescue LoadError
+  # lib/ is not available in all contexts (e.g. Dependabot security scans
+  # fetch only gemspec files, not the full repo). Provide a stub so the
+  # gemspec can still be evaluated to inspect its dependencies.
+  module Chef
+    VERSION = "0.0.0".freeze
+  end
+end
 
 Gem::Specification.new do |s|
   s.name = "chef"
@@ -25,10 +34,11 @@ Gem::Specification.new do |s|
   s.email = "adam@chef.io"
   s.homepage = "https://www.chef.io"
 
+  # help dependabot by specifying a default. If the default is in
+  # the 'else', dependabot misses it and falls back to a very old ruby
+  s.required_ruby_version = ">= 3.1.0"
   if RUBY_PLATFORM =~ /aix/
     s.required_ruby_version = ">= 3.0.3"
-  else
-    s.required_ruby_version = ">= 3.1.0"
   end
 
   s.add_dependency "chef-config", "= #{Chef::VERSION}"
@@ -41,13 +51,13 @@ Gem::Specification.new do |s|
   s.add_dependency "mixlib-cli", ">= 2.1.1", "< 3.0"
   s.add_dependency "mixlib-log", ">= 2.0.3", "< 4.0"
   s.add_dependency "mixlib-authentication", ">= 2.1", "< 4"
-  s.add_dependency "mixlib-shellout", "~> 3.3.8"
+  s.add_dependency "mixlib-shellout", ">= 3.3.8", "< 3.5.0"
   s.add_dependency "mixlib-archive", ">= 0.4", "< 2.0"
   s.add_dependency "ohai", "~> 19.0"
   s.add_dependency "inspec-core", "~> 7.0.107"
 
   s.add_dependency "ffi", ">= 1.15.5", "< 1.18.0"
-  s.add_dependency "ffi-yajl", "~> 2.2"
+  s.add_dependency "ffi-yajl", ">= 2.2", "< 4.0"
   s.add_dependency "net-sftp", ">= 2.1.2", "< 5.0" # remote_file resource
   s.add_dependency "net-ftp" # remote_file resource
   s.add_dependency "ed25519", "~> 1.2" # ssh-ed25519 support for target mode
@@ -65,14 +75,14 @@ Gem::Specification.new do |s|
   s.add_dependency "csv", "~> 3.3.5" # really needs to come from inspec?
   s.add_dependency "syslog-logger", "~> 1.6"
   s.add_dependency "unf_ext", "~> 0.0.9.1" # older platforms
-  s.add_dependency "uri", "~> 1.0.4" # CVE-2025-61594 fixed in >= 1.0.4
+  s.add_dependency "uri", ">= 1.0.4", "< 1.2.0" # CVE-2025-61594 fixed in >= 1.0.4
   s.add_dependency "corefoundation", "~> 0.3.4" # macos_userdefaults resource
 
   s.add_dependency "proxifier2", "~> 1.1"
 
   s.add_dependency "aws-sdk-s3", "~> 1.91" # s3 recipe-url support
   s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"
-  s.add_dependency "vault", "~> 0.18.2" # hashi vault official client gem
+  s.add_dependency "vault", ">= 0.18.2", "< 0.21.0" # hashi vault official client gem
   s.add_dependency "chef-licensing", "~> 1.3"
 
   s.bindir = "bin"

data/lib/chef/application/client.rb

@@ -127,8 +127,14 @@ class Chef::Application::Client < Chef::Application::Base
         train_config = Train.unpack_target_from_uri(Chef::Config.target_mode.host)
         Chef::Config.target_mode = train_config
       end
+      # Save the operator's identity BEFORE enabling target mode.
+      # client_key must be captured here because its default path changes once
+      # target_mode.enabled = true (it would resolve to /etc/chef/<target>/client.pem
+      # instead of the workstation's /etc/chef/client.pem).
+      Chef::Config[:api_client_name] ||= Chef::Config[:node_name]
+      Chef::Config[:api_client_key]  ||= Chef::Config[:client_key]
       Chef::Config.target_mode.enabled = true
-      Chef::Config.node_name = Chef::Config.target_mode.host unless Chef::Config.node_name
+      Chef::Config.node_name = Chef::Config.target_mode.host
     end
 
     if config[:credentials]

data/lib/chef/chef_fs/file_system/chef_server/cookbook_dir.rb

@@ -91,7 +91,7 @@ class Chef
                     end
                   end
                   # Create the file itself
-                  container.add_child(CookbookFile.new(parts[parts.length - 1], container, file))
+                  container.add_child(CookbookFile.new(parts[-1], container, file))
                 end
               end
               @children = @children.sort_by(&:name)

data/lib/chef/client.rb

@@ -385,8 +385,8 @@ class Chef
     #
     # @api private
     def rest
-      @rest ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], client_name: node_name,
-                                    signing_key_filename: Chef::Config[:client_key])
+      @rest ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], client_name: api_client_name,
+                                    signing_key_filename: api_client_key)
     end
 
     # A rest object with validate_utf8 set to false.  This will not throw exceptions
@@ -397,8 +397,26 @@ class Chef
     # @api private
     def rest_clean
       @rest_clean ||=
-        Chef::ServerAPI.new(Chef::Config[:chef_server_url], client_name: node_name,
-                            signing_key_filename: Chef::Config[:client_key], validate_utf8: false)
+        Chef::ServerAPI.new(Chef::Config[:chef_server_url], client_name: api_client_name,
+                            signing_key_filename: api_client_key, validate_utf8: false)
+    end
+
+    # Returns the client name to use for Chef Server API auth. In target mode the
+    # operator's original identity is stored in api_client_name so that API calls
+    # authenticate as the workstation client rather than as the target node.
+    #
+    # @api private
+    def api_client_name
+      Chef::Config[:api_client_name] || node_name
+    end
+
+    # Returns the signing key path to use for Chef Server API auth. In target mode
+    # the operator's original key is stored in api_client_key so that API calls
+    # use the workstation key rather than the target node's key.
+    #
+    # @api private
+    def api_client_key
+      Chef::Config[:api_client_key] || Chef::Config[:client_key]
     end
 
     #

data/lib/chef/compliance/runner.rb

@@ -77,14 +77,32 @@ class Chef
         logger.debug("#{self.class}##{__method__}: enabling Compliance Phase")
 
         report_with_interval
+        @compliance_phase_completed = true
       end
 
-      def run_failed(_exception, _run_status)
+      def run_failed(exception, _run_status)
         # If the run has failed because our own validation of compliance
         # phase configuration has failed, we don't want to submit a report
         # because we're still not configured correctly.
         return unless enabled? && @validation_passed
 
+        # A reboot exception is not a real failure — it is an expected outcome
+        # when a reboot resource fires :reboot_now.  In that case run_completed
+        # has already executed the Compliance Phase, so running it again here
+        # would produce a duplicate scan (and the second scan may be killed by
+        # the pending reboot).
+        if exception.is_a?(Chef::Exceptions::Reboot)
+          logger.debug("#{self.class}##{__method__}: skipping Compliance Phase because a reboot was requested")
+          return
+        end
+
+        # Guard against any other code path that might trigger both run_completed
+        # and run_failed in the same client run.
+        if @compliance_phase_completed
+          logger.debug("#{self.class}##{__method__}: skipping Compliance Phase because it has already run in this client run")
+          return
+        end
+
         logger.debug("#{self.class}##{__method__}: enabling Compliance Phase")
 
         report_with_interval

data/lib/chef/cookbook/gem_installer.rb

@@ -32,7 +32,7 @@ class Chef
         @events = events
       end
 
-      # Installs the gems into the omnibus gemset.
+      # Installs the gems into the gemset.
       #
       def install
         cookbook_gems = Hash.new { |h, k| h[k] = [] }

data/lib/chef/cookbook_uploader.rb

@@ -130,7 +130,7 @@ class Chef
         rescue Net::HTTPClientException, Net::HTTPFatalError, Errno::ECONNREFUSED, Timeout::Error, Errno::ETIMEDOUT, SocketError => e
           error_message = "Failed to upload #{file} (#{checksum}) to #{url} : #{e.message}"
           error_message << "\n#{e.response.body}" if e.respond_to?(:response)
-          Chef::Knife.ui.error(error_message)
+          Chef::Log.error(error_message)
           raise
         end
       end

data/lib/chef/dsl/rest_resource.rb

@@ -24,6 +24,14 @@ class Chef
     # when a custom resource uses the 'core::rest_resource' partial.
     #
     module RestResource
+      private
+
+      def inherited_accessor(name)
+        superclass.public_send(name) if superclass.respond_to?(name)
+      end
+
+      public
+
       # Define property mapping between resource properties and JSON API fields
       #
       # Maps resource properties to their corresponding locations in the JSON
@@ -56,12 +64,12 @@ class Chef
       # @see #json_to_property Method that uses this mapping to extract values
       # @see #property_to_json Method that uses this mapping to create JSON
       def rest_property_map(rest_property_map = NOT_PASSED)
-        if rest_property_map != NOT_PASSED
+        unless rest_property_map.equal?(NOT_PASSED)
           rest_property_map = rest_property_map.to_h { |k| [k.to_sym, k] } if rest_property_map.is_a? Array
 
           @rest_property_map = rest_property_map
         end
-        @rest_property_map
+        @rest_property_map || inherited_accessor(:rest_property_map)
       end
 
       # Define the REST API collection URL
@@ -83,13 +91,13 @@ class Chef
       #   # GET  /api/v1/users      # List all users
       #   # POST /api/v1/users      # Create new user
       def rest_api_collection(rest_api_collection = NOT_PASSED)
-        if rest_api_collection != NOT_PASSED
+        unless rest_api_collection.equal?(NOT_PASSED)
           raise ArgumentError, "You must pass an absolute path to rest_api_collection" unless rest_api_collection.start_with? "/"
 
           @rest_api_collection = rest_api_collection
         end
 
-        @rest_api_collection
+        @rest_api_collection || inherited_accessor(:rest_api_collection)
       end
 
       # Define the REST API document URL with RFC 6570 template support
@@ -131,13 +139,15 @@ class Chef
       #
       # @see https://tools.ietf.org/html/rfc6570 RFC 6570 URI Template specification
       def rest_api_document(rest_api_document = NOT_PASSED, first_element_only: false)
-        if rest_api_document != NOT_PASSED
+        unless rest_api_document.equal?(NOT_PASSED)
           raise ArgumentError, "You must pass an absolute path to rest_api_document" unless rest_api_document.start_with? "/"
 
           @rest_api_document = rest_api_document
           @rest_api_document_first_element_only = first_element_only
         end
-        @rest_api_document
+        @rest_api_document ||
+          inherited_accessor(:rest_api_document) ||
+          (rest_api_collection && rest_identity_property ? "#{rest_api_collection}/{#{rest_identity_property}}" : nil)
       end
 
       # Define explicit identity mapping for resource identification
@@ -177,8 +187,8 @@ class Chef
       #     'organization.id' => :org_id
       #   })
       def rest_identity_map(rest_identity_map = NOT_PASSED)
-        @rest_identity_map = rest_identity_map if rest_identity_map != NOT_PASSED
-        @rest_identity_map
+        @rest_identity_map = rest_identity_map unless rest_identity_map.equal?(NOT_PASSED)
+        @rest_identity_map || inherited_accessor(:rest_identity_map)
       end
 
       # Declare properties that should only be sent during resource creation
@@ -219,17 +229,58 @@ class Chef
       #   # Initialization parameters
       #   rest_post_only_properties [:template_id, :source_snapshot]
       def rest_post_only_properties(rest_post_only_properties = NOT_PASSED)
-        if rest_post_only_properties != NOT_PASSED
+        unless rest_post_only_properties.equal?(NOT_PASSED)
           @rest_post_only_properties = Array(rest_post_only_properties).map(&:to_sym)
         end
-        @rest_post_only_properties || []
+        @rest_post_only_properties || inherited_accessor(:rest_post_only_properties) || []
       end
 
       def rest_api_document_first_element_only(rest_api_document_first_element_only = NOT_PASSED)
-        if rest_api_document_first_element_only != NOT_PASSED
+        unless rest_api_document_first_element_only.equal?(NOT_PASSED)
           @rest_api_document_first_element_only = rest_api_document_first_element_only
         end
-        @rest_api_document_first_element_only
+        @rest_api_document_first_element_only || inherited_accessor(:rest_api_document_first_element_only)
+      end
+
+      # Define the base URL for the REST API
+      #
+      # Sets the base endpoint URL that is prepended to all collection and document
+      # URLs. This allows resource definitions to be self-contained without requiring
+      # the Train transport endpoint to be pre-configured.
+      #
+      # @param rest_api_endpoint [String, NOT_PASSED] The base URL of the REST API
+      #   - NOT_PASSED: Acts as getter, returns current endpoint URL
+      #
+      # @return [String, nil] The current endpoint URL
+      #
+      # @example
+      #   rest_api_endpoint "https://api.example.com"
+      #   rest_api_collection "/api/v1/users"
+      #   # GET https://api.example.com/api/v1/users
+      def rest_api_endpoint(rest_api_endpoint = NOT_PASSED)
+        @rest_api_endpoint = rest_api_endpoint unless rest_api_endpoint.equal?(NOT_PASSED)
+        @rest_api_endpoint || inherited_accessor(:rest_api_endpoint)
+      end
+
+      # Declare the property that uniquely identifies a resource in the REST API
+      #
+      # Sets the identity property for the resource and auto-generates the document
+      # URL as "#{rest_api_collection}/{property}" when no explicit rest_api_document
+      # is provided. This is a convenience alternative to setting rest_api_document
+      # manually.
+      #
+      # @param property [Symbol, NOT_PASSED] The property name used as the resource identifier
+      #   - NOT_PASSED: Acts as getter, returns current identity property
+      #
+      # @return [Symbol, nil] The current identity property name
+      #
+      # @example
+      #   rest_api_collection "/api/v1/users"
+      #   rest_identity_property :username
+      #   # Auto-generates rest_api_document as "/api/v1/users/{username}"
+      def rest_identity_property(property = NOT_PASSED)
+        @rest_identity_property = property unless property.equal?(NOT_PASSED)
+        @rest_identity_property || inherited_accessor(:rest_identity_property)
       end
 
     end

data/lib/chef/file_access_control/windows.rb

@@ -33,6 +33,12 @@ class Chef
       module ClassMethods
         # We want to mix these in as class methods
         def writable?(path)
+          # In target mode the path refers to the remote filesystem.  Delegate
+          # to TargetIO so the check runs on the remote host via SSH rather than
+          # against the local Windows filesystem (where Linux paths like /tmp do
+          # not exist and ::File.exist? always returns false).
+          return ::TargetIO::File.writable?(path) if Chef::Config.target_mode?
+
           ::File.exist?(path) && Chef::ReservedNames::Win32::File.file_access_check(
             path, Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_WRITE
           )

data/lib/chef/file_access_control.rb

@@ -26,11 +26,13 @@ class Chef
   # the values specified by a value object, usually a Chef::Resource.
   class FileAccessControl
 
+    require_relative "file_access_control/unix"
+
     if RUBY_PLATFORM.match?(/mswin|mingw|windows/)
       require_relative "file_access_control/windows"
+
       include FileAccessControl::Windows
     else
-      require_relative "file_access_control/unix"
       include FileAccessControl::Unix
     end
 
@@ -55,6 +57,15 @@ class Chef
       @current_resource, @resource, @provider = current_resource, new_resource, provider
       @file = @current_resource.path
       @modified = false
+
+      # When running on Windows in target mode the remote host is a Unix
+      # system managed via SSH.  Extend this instance with the Unix access
+      # control module so that permissions are applied via TargetIO
+      # (chmod/chown over SSH) rather than Win32 security APIs against a
+      # path that does not exist on the local Windows filesystem.
+      if RUBY_PLATFORM.match?(/mswin|mingw|windows/) && ChefConfig::Config.target_mode?
+        extend FileAccessControl::Unix
+      end
     end
 
     def modified?

data/lib/chef/handler/slow_report.rb

@@ -30,13 +30,13 @@ class Chef
 
       def report
         if count == 0
-          puts "\nNo resources to profile\n\n"
+          Chef::Log.info("No resources to profile")
           return
         end
 
         top = all_records.sort_by(&:elapsed_time).last(amount).reverse
         data = top.map { |r| [ r.new_resource.to_s, r.elapsed_time, r.action, r.new_resource.cookbook_name, r.new_resource.recipe_name, stripped_source_line(r.new_resource) ] }
-        puts "\nTop #{count} slowest #{count == 1 ? "resource" : "resources"}:\n\n"
+        Chef::Log.info("Top #{count} slowest #{count == 1 ? "resource" : "resources"}:")
         table = TTY::Table.new(%w{resource elapsed_time action cookbook recipe source}, data)
         rendered = table.render do |renderer|
           renderer.border do
@@ -44,8 +44,7 @@ class Chef
             mid_mid      " "
           end
         end
-        puts rendered
-        puts "\n"
+        Chef::Log.info(rendered)
       end
 
       def all_records

data/lib/chef/licensing.rb

@@ -9,12 +9,10 @@ class Chef
     class << self
       def fetch_and_persist
         Chef::Log.info "Fetching and persisting license..."
-        # This is a temporary arrangement to continue end-to-end recipe testing of Chef.
-        # Windows, Mac, Linux VMs on vagrant will be tested using legacy test-kitchen
-        # whereas Linux docker containers will be tested using chef-test-kitchen-enterprise (habitat)
-        # Reason: chef-test-kitchen-enterprise currently supports only kitchen-dokken driver and is available only for Linux x86_64
-        # So for now we skip license validation on Mac, Windows, Linux distributions which run using test kitchen.
-        if ENV["TEST_KITCHEN"] && !ChefUtils.docker?
+        # Skip license validation in CI/testing environments.
+        # This covers GitHub Actions, Buildkite, Test Kitchen, and generic CI.
+        # Licensing determination is handled by ChefLicensing directly.
+        if skip_license_validation?
           Chef::Log.info "****Skipping license validation..."
           return
         end
@@ -32,6 +30,12 @@ class Chef
 
       def check_software_entitlement!
         Chef::Log.info "Checking software entitlement..."
+        # Skip entitlement check in the same environments where fetch_and_persist is skipped,
+        # since no license keys would have been persisted in those environments.
+        if skip_license_validation?
+          Chef::Log.info "****Skipping software entitlement check..."
+          return
+        end
         ChefLicensing.check_software_entitlement!
       rescue ChefLicensing::SoftwareNotEntitled
         Chef::Log.error "License is not entitled to use Chef Infra."
@@ -97,6 +101,22 @@ class Chef
         Chef::Log.error e.message
         Chef::Application.exit! "Usage error", 1 # Generic failure
       end
+
+      private
+
+      # Returns true when license validation should be skipped.
+      # Skips in CI environments (GitHub Actions, Buildkite, Test Kitchen, generic CI).
+      # Does NOT skip when running inside Docker containers managed by Test Kitchen
+      # (those are tested separately via chef-test-kitchen-enterprise).
+      # CHEF_LICENSE acceptance values are handled by ChefLicensing directly.
+      def skip_license_validation?
+        ci_environment?
+      end
+
+      def ci_environment?
+        (ENV["TEST_KITCHEN"] || ENV["GITHUB_ACTIONS"] || ENV["BUILDKITE"] || ENV["CI"]) &&
+          !ChefUtils.docker?
+      end
     end
 
     class EntitlementError < StandardError

data/lib/chef/node.rb

@@ -650,9 +650,21 @@ class Chef
 
     # Load a node by name
     def self.load(name)
-      from_hash(Chef::ServerAPI.new(Chef::Config[:chef_server_url]).get("nodes/#{name}"))
+      from_hash(Chef::ServerAPI.new(Chef::Config[:chef_server_url],
+        client_name: api_client_name,
+        signing_key_filename: api_client_key).get("nodes/#{name}"))
     end
 
+    def self.api_client_name
+      Chef::Config[:api_client_name] || Chef::Config[:node_name]
+    end
+    private_class_method :api_client_name
+
+    def self.api_client_key
+      Chef::Config[:api_client_key] || Chef::Config[:client_key]
+    end
+    private_class_method :api_client_key
+
     # Remove this node via the REST API
     def destroy
       chef_server_rest.delete("nodes/#{name}")

data/lib/chef/policy_builder/expand_node_object.rb

@@ -248,13 +248,24 @@ class Chef
       end
 
       def api_service
-        @api_service ||= Chef::ServerAPI.new(config[:chef_server_url], version_class: Chef::CookbookManifestVersions )
+        @api_service ||= Chef::ServerAPI.new(config[:chef_server_url],
+          client_name: api_client_name,
+          signing_key_filename: api_client_key,
+          version_class: Chef::CookbookManifestVersions)
       end
 
       def config
         Chef::Config
       end
 
+      def api_client_name
+        config[:api_client_name] || config[:node_name]
+      end
+
+      def api_client_key
+        config[:api_client_key] || config[:client_key]
+      end
+
     end
   end
 end

data/lib/chef/policy_builder/policyfile.rb

@@ -515,6 +515,8 @@ class Chef
       # @api private
       def api_service
         @api_service ||= Chef::ServerAPI.new(config[:chef_server_url],
+          client_name: api_client_name,
+          signing_key_filename: api_client_key,
           version_class: Chef::CookbookManifestVersions)
       end
 
@@ -523,6 +525,16 @@ class Chef
         Chef::Config
       end
 
+      # @api private
+      def api_client_name
+        config[:api_client_name] || config[:node_name]
+      end
+
+      # @api private
+      def api_client_key
+        config[:api_client_key] || config[:client_key]
+      end
+
       # Indicates whether the policy is temporary, which means an
       # override_runlist was provided. Chef::Client uses this to decide whether
       # to do the final node save at the end of the run or not.