risky-shell-pipe false positive: pipe operator in multi-line Jinja template is interpreted as shell pipe

[lucendio]

Summary

Using Jinja template with operator | in multi-line (!) shell cmd string is recognized as risky-shell-pipe violation.

Issue Type

• Bug Report

OS / ENVIRONMENT

ansible-lint --version
ansible-lint 6.21.1 using ansible-core:2.14.11 ansible-compat:4.1.10 ruamel-yaml:0.17.40 ruamel-yaml-clib:0.2.8

Actual / Desired Behavior

- vars:
    values:
      - 'itemA'
      - 'itemB'
  ansible.builtin.shell:
    executable: '/usr/bin/bash'
    cmd: >-
      echo {{
        values | first
      }}

fails while it's not supposed to:

risky-shell-pipe: Shells that use pipes should set the pipefail option.
tasks/example.yaml:1 Task/Handler: shell executable=/usr/bin/bash cmd=echo {{
  values | first
}}

BUT

- vars:
    values:
      - 'itemA'
      - 'itemB'
  ansible.builtin.shell:
    executable: '/usr/bin/bash'
    cmd: >-
      set -o pipefail;
      echo {{
        values | first
      }}

and

- vars:
    values:
      - 'itemA'
      - 'itemB'
  ansible.builtin.shell:
    executable: '/usr/bin/bash'
    cmd: >-
      echo {{ values | first }}

succeed.

While the result of the last 2 examples is expected, the first one is not. If pipe operators are only part of a Jinja template in the cmd string value the rule should not match regardless whether it's multi-line or single-line.

[ssbarnea]

A PR to improve the behaviour would be more than welcomed here.