build grafana-image-renderer for arm64

[sanjayk0508]

Given that chromium now supports arm64 (ref), we can now build grafana-image-renderer for arm64

also updates version

[octo-sts]

🔄 Build Failed: Git Checkout Error

FAIL Expected commit e8cb05ca1f74285a629110f06492268a30e2a172 for v3.12.8, found c167468de9bca504ea203912384259b3de998fd8

Build Details

Category	Details
Build System	melange
Failure Point	git checkout of grafana-image-renderer repository

Root Cause Analysis 🔍

The expected commit hash for tag v3.12.8 does not match the actual commit hash in the repository. This suggests either the tag has been updated in the remote repository or the commit hash specified in the build configuration is incorrect.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• gitlab-runner-17.11/17.11.1 package update #52449
• calico-3.29 - usrmerge usr/sbin #44671
• trufflehog/3.88.16-r0: cve remediation #46217

Suggested Changes

File: grafana-image-renderer.yaml

• replace at line 33 (pipeline git-checkout expected-commit parameter)
  Original:

      expected-commit: e8cb05ca1f74285a629110f06492268a30e2a172

Replacement:

      expected-commit: c167468de9bca504ea203912384259b3de998fd8

Content:

Update the expected-commit hash to match the actual commit hash for tag v3.12.8

Click to expand fix analysis

Analysis

After examining the similar fixed build failures, I can see a clear pattern. In all three examples, the root issue was the same: the expected commit hash in the melange YAML file didn't match the actual commit hash for the given tag in the repository.

The fix pattern is consistent across all examples:

1. Update the expected-commit value in the git-checkout step to match the current commit hash for the tag
2. In some cases, it was also necessary to update the package version if it was out of date

The current issue with grafana-image-renderer follows this exact pattern, where the specified commit hash (e8cb05ca1f74285a629110f06492268a30e2a172) doesn't match the actual commit hash (c167468de9bca504ea203912384259b3de998fd8) for tag v3.12.8.

Click to expand fix explanation

Explanation

The build is failing because the expected commit hash in the melange YAML file (e8cb05ca1f74285a629110f06492268a30e2a172) doesn't match the actual commit hash (c167468de9bca504ea203912384259b3de998fd8) that the tag v3.12.8 is now pointing to in the repository.

This mismatch can happen for several reasons:

1. The tag may have been force-updated in the upstream repository to point to a different commit
2. The tag may have been moved due to a rebase or other Git operation
3. The original commit hash in the YAML file may have been incorrectly specified

By updating the expected-commit value to match the current commit hash for the tag, we're aligning our build expectations with the current state of the repository. This allows the git-checkout step to complete successfully because the commit hash verification will now pass.

The error message explicitly tells us that the expected commit is e8cb05ca1f74285a629110f06492268a30e2a172 but the actual commit found for v3.12.8 is c167468de9bca504ea203912384259b3de998fd8. By updating our expected-commit to match the actual commit, we directly address the root cause of the failure.

Click to expand alternative approaches

Alternative Approaches

• An alternative approach would be to pin to a specific commit instead of a tag by changing the git-checkout step to use commit: c167468de9bca504ea203912384259b3de998fd8 instead of tag: v${{package.version}}. This would make the build more deterministic but would make version updates more complicated.
• Another approach would be to check if there's a newer version (v3.12.9 or later) available for grafana-image-renderer and update both the version and the commit hash. This would ensure we're using the latest available version, which aligns with Wolfi's principles of keeping packages up to date.
• We could also modify the git-checkout step to not verify the commit hash at all, by removing the expected-commit parameter entirely. However, this would reduce build reproducibility and security, as we would no longer verify that the tag points to the expected code.

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[sanjayk0508]

updating the version manually fails in CI

[jamonation]

Looks like the GHSA-rhx6-c78j-4q9w.patch patch causes the bumped version to fail. Wonder if removing that will get a newer version going?