Skip to content

ruby-3.2/3.2.9 package update #60585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
debasishbsws merged 4 commits into from
Jul 29, 2025
Merged

ruby-3.2/3.2.9 package update #60585

debasishbsws merged 4 commits into from
Jul 29, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jul 24, 2025

@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr ruby-3.2 labels Jul 24, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jul 24, 2025

🔄 Build Failed: Git Checkout Error

FAIL Expected commit 13f495dc2c98d0762d9af37e7143d2e2a07d9926 for v3_2_9, found 8f611e0c46012e321b39efd629eb5f4f53976863

Build Details

Category Details
Build System melange
Failure Point git checkout step during Ruby 3.2.9 source retrieval

Root Cause Analysis 🔍

The build expects a specific Git commit hash (13f495dc2c98d0762d9af37e7143d2e2a07d9926) for the Ruby v3_2_9 tag, but the repository contains a different commit hash (8f611e0c46012e321b39efd629eb5f4f53976863) for that tag. This mismatch causes the build to fail as the verification check enforces strict commit hash matching.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: ruby-3.2.yaml

  • replace at line 51 (pipeline git-checkout section)
    Original:
      expected-commit: 13f495dc2c98d0762d9af37e7143d2e2a07d9926

Replacement:

      expected-commit: 8f611e0c46012e321b39efd629eb5f4f53976863

Content:

Replace the expected-commit hash with the actual commit hash found for the v3_2_9 tag
Click to expand fix analysis

Analysis

The similar build failure (trufflehog.yaml) exhibits the same pattern as the current issue - a mismatch between the expected commit hash and the actual commit hash for a specific tag. In the fixed example, the solution was to update the expected-commit hash in the melange YAML file to match the actual commit hash at the specified tag (v3.88.17). The fix was straightforward: they simply replaced the old expected-commit hash with the new one that actually exists in the repository. This is consistent with Wolfi's principle of keeping packages up to date with upstream releases.

Click to expand fix explanation

Explanation

The build is failing because there's a mismatch between the expected Git commit hash (13f495dc2c98d0762d9af37e7143d2e2a07d9926) and the actual commit hash (8f611e0c46012e321b39efd629eb5f4f53976863) for the Ruby v3_2_9 tag. This is similar to the trufflehog example where the expected and actual commit hashes didn't match.

The error message clearly states: "FAIL Expected commit 13f495dc2c98d0762d9af37e7143d2e2a07d9926 for v3_2_9, found 8f611e0c46012e321b39efd629eb5f4f53976863". This indicates that the Git repository tag v3_2_9 points to commit 8f611e0c46012e321b39efd629eb5f4f53976863, but our build configuration is expecting a different commit.

This mismatch could happen for several reasons:

  1. The upstream repository might have force-pushed or changed the commit that the tag points to
  2. The tag might have been moved to a different commit by the upstream maintainers
  3. There might have been a mistake in the original hash used in the configuration

By updating the expected-commit hash to match the actual commit hash that the tag currently points to, we align our build expectations with the current state of the upstream repository, allowing the build to proceed. This maintains Wolfi's principle of staying up-to-date with upstream releases while ensuring we're building from the exact source commit that corresponds to the specified version.

Click to expand alternative approaches

Alternative Approaches

  • Instead of changing the expected commit hash, we could pin to the specific commit directly rather than using the tag, but this would make future updates more difficult and goes against Wolfi's principles of tracking upstream releases.
  • We could investigate if there's a legitimate reason why the tag points to a different commit than expected (such as security fixes) and evaluate if the new commit is appropriate. However, in most cases, the tag being updated by upstream maintainers is intentional and should be trusted.
  • If there are concerns about the integrity of the new commit, we could verify the GPG signature of the tag (if available) to ensure it was properly signed by a trusted maintainer before accepting the new commit hash.

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jul 24, 2025
@debasishbsws debasishbsws self-assigned this Jul 28, 2025
@debasishbsws
fix(update): rename underscore-package-version to `mangled-package-…
ca91450 
…version` for proper commit bumping

* Melange now only updates `expected-commit` in `git-checkout` when tags match either `${{package.version}}` or `${{vars.mangled-package-version}}` ([melange#2008](chainguard-dev/melange#2008))


Signed-off-by: Debasish Biswas <[email protected]>
@debasishbsws
Merge branch 'main' into wolfictl-fbedf395-697c-4fce-9d48-d39067ca7f03
dfb5e2a
@debasishbsws
Remove the cherrypick as its not required anymore.
41c1de7 
Signed-off-by: Debasish Biswas <[email protected]>
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Jul 28, 2025
@debasishbsws debasishbsws merged commit 4776f26 into main Jul 29, 2025
18 checks passed
@debasishbsws debasishbsws deleted the wolfictl-fbedf395-697c-4fce-9d48-d39067ca7f03 branch July 29, 2025 09:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AmberArcadia AmberArcadia AmberArcadia approved these changes

Assignees

@debasishbsws debasishbsws

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed request-version-update request for a newer version of a package ruby-3.2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AmberArcadia @debasishbsws @wolfi-bot