Skip to content

Adding VersionStream for gitlab-runner-18.2 #60154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
OddBloke merged 2 commits into from
Jul 21, 2025
Merged

Adding VersionStream for gitlab-runner-18.2 #60154

OddBloke merged 2 commits into from
Jul 21, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jul 20, 2025

No description provided.

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jul 20, 2025

🔄 Build Failed: Git Checkout Error

FAIL Expected commit db60bc83de56fa2bba540cc60524db434612cd02 for v18.2.0, found c24769e865d4fb6da27d512373e2159529abddea

Build Details

Category Details
Build System git
Failure Point git checkout step during Melange build process

Root Cause Analysis 🔍

The git checkout operation failed because the commit hash for tag v18.2.0 did not match the expected commit hash. The build expected commit db60bc83de56fa2bba540cc60524db434612cd02 but found c24769e865d4fb6da27d512373e2159529abddea instead. This indicates either the tag was moved in the upstream repository or there's a mismatch in the package definition.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: gitlab-runner-18.2.yaml

  • replace at line 33 (pipeline git-checkout section)
    Original:
      expected-commit: db60bc83de56fa2bba540cc60524db434612cd02

Replacement:

      expected-commit: c24769e865d4fb6da27d512373e2159529abddea

Content:

Update the expected-commit hash to match the actual commit hash for the v18.2.0 tag
Click to expand fix analysis

Analysis

Based on the three similar fixed build failures, I observe a common pattern: all involve a mismatch between the expected commit hash and the actual commit hash for a specific git tag. In each case, the fix was to update the expected-commit field in the git-checkout step to match the current commit hash that the tag points to in the upstream repository. This suggests that the tags in these repositories have been moved or updated since the package definition was created. For the current build failure, the same issue appears to be happening - the v18.2.0 tag in the gitlab-runner repository now points to commit c24769e865d4fb6da27d512373e2159529abddea instead of the expected db60bc83de56fa2bba540cc60524db434612cd02.

Click to expand fix explanation

Explanation

The build is failing because the git checkout step is expecting commit hash db60bc83de56fa2bba540cc60524db434612cd02 for tag v18.2.0, but the upstream repository's tag now points to commit c24769e865d4fb6da27d512373e2159529abddea. This mismatch causes the build to fail with the error message FAIL Expected commit db60bc83de56fa2bba540cc60524db434612cd02 for v18.2.0, found c24769e865d4fb6da27d512373e2159529abddea.

The fix is to update the expected-commit hash in the gitlab-runner-18.2.yaml file to match the current commit that the v18.2.0 tag points to in the upstream repository. This approach follows the pattern seen in all three similar fixed build failures where the expected-commit value was updated to match the actual commit hash.

When Git tags in upstream repositories are moved (force-pushed) or updated, which can happen when maintainers make corrections or changes after an initial tag, the commit hash that a tag points to can change. The Melange build system verifies the commit hash as a security measure to ensure the code being built is exactly what was expected. By updating the expected-commit value, we're acknowledging this change and allowing the build to proceed with the current state of the upstream repository.

Click to expand alternative approaches

Alternative Approaches

  • Instead of updating the expected-commit, we could pin to a specific commit rather than a tag, but this would deviate from the standard practice in Wolfi and make future updates more complex.
  • We could consider implementing a build flag to bypass the expected-commit check in special circumstances, but this would reduce the security guarantees that the expected-commit check provides.
  • For frequently changing repositories, we could implement an automated process to regularly check and update the expected-commit hashes in package definitions.

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jul 20, 2025
@OddBloke OddBloke force-pushed the gitlab-runner-18.2 branch from 49290bb to 5105e24 Compare July 21, 2025 18:55
@octo-sts octo-sts bot added the bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. label Jul 21, 2025
@OddBloke OddBloke self-assigned this Jul 21, 2025
@OddBloke
Copy link
Member

OddBloke commented Jul 21, 2025

That ci-cve-scan result is a false positive: 18.1 already has an advisory that will be duplicated.

@OddBloke OddBloke requested a review from a team July 21, 2025 19:04
@OddBloke OddBloke enabled auto-merge July 21, 2025 19:04
@OddBloke OddBloke merged commit ca4b446 into main Jul 21, 2025
17 of 18 checks passed
@OddBloke OddBloke deleted the gitlab-runner-18.2 branch July 21, 2025 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AmberArcadia AmberArcadia AmberArcadia approved these changes

Assignees

@OddBloke OddBloke

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. service:version-stream

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@OddBloke @AmberArcadia