Ansible 2.4 changes the way the template module works. It now
processes the template and writes it into a temporary file in a newly
created temporary dir. After that it reuses the copy plugin to copy
this onto the node. This fails for untrusted jobs because the
temporary file is created outside of the work root which fails the
safe path validation of the copy plugin [1].
There are two issues with this behavior. First Ansible doesn't use the
configured local_tmp dir for this temporary file. This can be fixed by
setting the TMP variable.
Second our current local_tmp setting is outside of the work dir so
this needs to be moved into the work dir.
[1] Failed log:
TASK [gitlint : Ensure project has a fallback default config]
node | ERROR
node | {
node | "msg": "Accessing files from outside the working dir /tmp/54614d6f189a48968648c4e68c05bdba/work is prohibited",
node | "path": "/tmp/tmpssae4qfb/gitlint.j2"
node | }
Change-Id: Ie2c7518973fc81f51826fa16021b95590e08749e