Skip to content

add containers-common package #60607

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mritunjaysharma394 merged 5 commits into from
Sep 5, 2025
Merged

add containers-common package #60607

mritunjaysharma394 merged 5 commits into from
Sep 5, 2025

Conversation

@kranurag7
Copy link
Member

@kranurag7 kranurag7 commented Jul 24, 2025
edited by tulilirockz
Loading

Fixes: #60292

Signed-off-by: kranurag7 [email protected]

@octo-sts octo-sts bot added the bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. label Jul 24, 2025
@kranurag7 kranurag7 mentioned this pull request Jul 24, 2025
Closed
@kranurag7 kranurag7 force-pushed the kr/containers-common branch from 6f48ae8 to 28f699d Compare August 10, 2025 02:50
@octo-sts
Copy link
Contributor

octo-sts bot commented Aug 10, 2025

🔄 Build Failed: Git Checkout Error

Expected commit 08ce6b4207e7b151ea1c2830cdb1d4473cfd12aa for v5.36.1, found f6ca2da2ec9e4b86231ea7a27499e2a0b35b0d8c

Build Details

Category Details
Build System melange
Failure Point git-checkout step during package build

Root Cause Analysis 🔍

Git tag v5.36.1 points to a different commit than expected. The build configuration expects commit 08ce6b4207e7b151ea1c2830cdb1d4473cfd12aa but the actual tag v5.36.1 resolves to commit f6ca2da2ec9e4b86231ea7a27499e2a0b35b0d8c. This indicates either the tag was moved/updated upstream or the expected commit hash in the build configuration is incorrect.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: containers-image.yaml

  • modification at line 17 (pipeline git-checkout step)
    Original:
expected-commit: 08ce6b4207e7b151ea1c2830cdb1d4473cfd12aa

Replacement:

expected-commit: f6ca2da2ec9e4b86231ea7a27499e2a0b35b0d8c

Content:

Update the expected-commit hash to match the actual commit that tag v5.36.1 points to
Click to expand fix analysis

Analysis

Based on the similar fixed build failures, I observe a consistent pattern: when there's a mismatch between the expected commit hash and the actual commit hash for a git tag, the solution is always to update the expected-commit field in the git-checkout pipeline step to match the actual commit hash that the tag points to. In all three examples, the fixes involved changing the expected-commit value from the old/incorrect hash to the new/correct hash that the tag actually references. This indicates that git tags can be moved or retagged upstream, requiring the build configuration to be updated to reflect the current state of the repository.

Click to expand fix explanation

Explanation

This fix should work because the build error indicates that git tag v5.36.1 actually points to commit f6ca2da2ec9e4b86231ea7a27499e2a0b35b0d8c, not the expected commit 08ce6b4207e7b151ea1c2830cdb1d4473cfd12aa. The git-checkout pipeline step performs verification to ensure the tag points to the expected commit hash for security and reproducibility reasons. By updating the expected-commit field to match the actual commit hash that the tag references, the verification will pass and the build will proceed. This pattern is consistent across all similar fixes - they all involved updating the expected-commit hash to reflect the current state of the upstream repository where tags may have been moved or retagged.

Click to expand alternative approaches

Alternative Approaches

  • Verify the tag externally: Before making the change, one could manually verify that the commit f6ca2da2ec9e4b86231ea7a27499e2a0b35b0d8c is indeed the correct commit for tag v5.36.1 by checking the upstream repository directly. This ensures we're not inadvertently accepting a malicious tag movement.
  • Check release notes: Review the upstream project's release notes or git history to understand if there was an intentional retag or if this represents a security concern that needs to be escalated.
  • Coordinate with containers-common: Since the YAML file mentions this package should be updated in coordination with containers-common, consider whether this change needs to be synchronized with updates to that package as well.

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Aug 10, 2025
@kranurag7
bump containers-common to 0.64.1
6354a88 
this bumps containes-common to 0.64.1. please note that we've verified
image and storage branches from the spec file here.
https://src.fedoraproject.org/rpms/containers-common/blob/rawhide/f/containers-common.spec

this is important to keep the configuration files as per upstream.
@kranurag7 kranurag7 force-pushed the kr/containers-common branch from f4b8a47 to 6354a88 Compare August 10, 2025 03:04
@falco-casserole
Copy link

falco-casserole commented Aug 12, 2025

@kranurag7 is there anything we can do to help reduce lift, from our end?

@kranurag7
Copy link
Member Author

kranurag7 commented Aug 12, 2025

@kranurag7 is there anything we can do to help reduce lift, from our end?

I'll get it green tomorrow.

@falco-casserole
Copy link

falco-casserole commented Aug 21, 2025

@kranurag7 so sorry to follow up yet again, but what's the status on this? Again, if there's anything we can do to enable you on this, please let us know!

@lborda
Copy link

lborda commented Sep 4, 2025

@kranurag7 @iyefa28
How can we get this moving forward and merged ?

@mritunjaysharma394 mritunjaysharma394 merged commit c4c87fa into wolfi-dev:main Sep 5, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mritunjaysharma394 mritunjaysharma394 mritunjaysharma394 approved these changes

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Podman and Skopeo both own /etc/containers/policy.json

4 participants

@kranurag7 @falco-casserole @lborda @mritunjaysharma394