Skip to content

opensearch-dashboards-3/3.1.0 package update #59324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dnegreira merged 3 commits into from
Jul 16, 2025
Merged

opensearch-dashboards-3/3.1.0 package update #59324

dnegreira merged 3 commits into from
Jul 16, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jul 15, 2025

@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr opensearch-dashboards-3 labels Jul 15, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jul 15, 2025

🔄 Build Failed: Git Checkout Error

FAIL Expected commit 93296ec81611080141bc569f761794a01eb1d105 for 3.1.0, found c152d16bbe6b4501e3e2418be0f9f8b3dc07559f

Build Details

Category Details
Build System Melange (Wolfi Linux package builder)
Failure Point git checkout for opensearch-dashboards-3-config subpackage

Root Cause Analysis 🔍

The build is trying to check out a specific commit (93296ec81611080141bc569f761794a01eb1d105) from tag 3.1.0 of the opensearch-build repository, but the actual commit hash for that tag is different (c152d16bbe6b4501e3e2418be0f9f8b3dc07559f). This mismatch causes the build to fail because the expected commit doesn't match the actual commit associated with the tag.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: opensearch-dashboards-3.yaml

  • replacement at line expected-commit line in the opensearch-build git-checkout section (opensearch-dashboards-3-config subpackage git-checkout section)
    Original:
          expected-commit: 93296ec81611080141bc569f761794a01eb1d105 # will need to be manually updated when opensearch dashboard auto update happens

Replacement:

          expected-commit: c152d16bbe6b4501e3e2418be0f9f8b3dc07559f # will need to be manually updated when opensearch dashboard auto update happens
Click to expand fix analysis

Analysis

Looking at the similar fixed issues, there's a consistent pattern with git checkout failures where the expected commit hash doesn't match the actual commit hash at a specified tag. All three examples show the same fix approach: updating the expected-commit hash in the git-checkout section to match the actual commit hash that exists at the specified tag. This is a common issue in package build systems that pin to specific commit hashes - when the upstream repository updates their tags (possibly through a force push or tag change), the expected commit hash in the build configuration becomes outdated and must be updated to match reality.

Click to expand fix explanation

Explanation

The build failure occurs because the package is trying to check out a specific commit (93296ec81611080141bc569f761794a01eb1d105) for tag 3.1.0 in the opensearch-build repository, but the actual commit associated with that tag is different (c152d16bbe6b4501e3e2418be0f9f8b3dc07559f). This mismatch causes the git checkout to fail with the specific error message.

The error is in the opensearch-dashboards-3-config subpackage section where we're checking out the opensearch-build repository. All we need to do is update the expected-commit hash to match the actual commit hash that's associated with the tag 3.1.0 in the opensearch-build repository. This is a common situation when upstream repositories update their tags after we've created our build configuration.

Looking at all three similar fixed examples, they addressed the same type of error by updating the expected-commit hash to match the actual commit hash found at the tag. This is a straightforward fix that aligns our build expectations with the current state of the upstream repository.

The comment in the code "# will need to be manually updated when opensearch dashboard auto update happens" even acknowledges that this value needs manual updates periodically.

Click to expand alternative approaches

Alternative Approaches

  • Instead of hardcoding the commit hash, the build system could fetch the latest commit hash for the specified tag at build time and use that, eliminating the need for manual updates when tags change.
  • The package could be modified to verify the tag exists but not enforce a specific commit, though this would be less deterministic and could lead to unexpected behavior if the tag is moved.
  • Add a pre-build verification step that checks if the expected commit matches the actual commit for the tag, and automatically updates the value or provides a clear message about what needs to be updated.

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jul 15, 2025
debasishbsws
debasishbsws previously approved these changes Jul 16, 2025
View reviewed changes
@dnegreira dnegreira self-assigned this Jul 16, 2025
@dnegreira dnegreira force-pushed the wolfictl-0ee4c30d-5e16-4dc5-8928-96bf0e09b077 branch from ae8b205 to 0d982a2 Compare July 16, 2025 07:43
@dnegreira
opensearch-dashboards-3: remediate cve
58dab44 
Remediate CVE-2025-6545 by bumping pbkdf2 to v3.1.3

Signed-off-by: David Negreira <[email protected]>
@dnegreira dnegreira force-pushed the wolfictl-0ee4c30d-5e16-4dc5-8928-96bf0e09b077 branch from a2245d8 to 58dab44 Compare July 16, 2025 09:18
@dnegreira
Copy link
Member

dnegreira commented Jul 16, 2025

malscan report

opensearch-dashboards-3-malscan.txt

@dnegreira dnegreira added the bincapz/blocking Bincapz (aka malcontent) scan results detected CRITICALs on the packages. label Jul 16, 2025
@dnegreira dnegreira enabled auto-merge July 16, 2025 12:11
@egibs egibs added the malcontent/reviewed The malcontent findings in this PR have been manually reviewed by security. label Jul 16, 2025
@stevebeattie
Copy link
Member

stevebeattie commented Jul 16, 2025

I ran malcontent locally against all the packages built from the source, and there were no critical findings.

@dnegreira dnegreira merged commit bb91289 into main Jul 16, 2025
17 of 18 checks passed
@dnegreira dnegreira deleted the wolfictl-0ee4c30d-5e16-4dc5-8928-96bf0e09b077 branch July 16, 2025 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bentasker bentasker bentasker approved these changes

@debasishbsws debasishbsws debasishbsws left review comments

Assignees

@dnegreira dnegreira

@eslerm eslerm

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/blocking Bincapz (aka malcontent) scan results detected CRITICALs on the packages. malcontent/reviewed The malcontent findings in this PR have been manually reviewed by security. opensearch-dashboards-3 request-version-update request for a newer version of a package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@dnegreira @stevebeattie @bentasker @debasishbsws @eslerm @egibs @wolfi-bot @rawlingsj