Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update SHA for go-containerregistry #1815

Merged
merged 5 commits into from
Apr 24, 2021
Merged

Update SHA for go-containerregistry #1815

merged 5 commits into from
Apr 24, 2021

Conversation

umeshkumhar
Copy link
Contributor

@umeshkumhar umeshkumhar commented Apr 24, 2021
edited
Loading

update sha for com_github_google_go_containerregistry

PR Checklist

Please check if your PR fulfils the following requirements:

  • Tests for the changes have been added (for bug fixes/features)
  • Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • Other... Please describe:

What is the current behavior?

Breaking http_archive or git_repository due to SHA change of @com_github_google_go_containerregistry

Issue Number: 1814

What is the new behaviour?

Will pull tarball @com_github_google_go_containerregistry and verify SHA properly

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

#1814

@umeshkumhar
update SHA
9ef3f87 
update sha for com_github_google_go_containerregistry
@google-cla
Copy link

google-cla bot commented Apr 24, 2021

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@google-cla google-cla bot added the cla: no label Apr 24, 2021
@umeshkumhar
Copy link
Contributor Author

@googlebot I signed it!

@google-cla google-cla bot added cla: yes and removed cla: no labels Apr 24, 2021
@umeshkumhar umeshkumhar changed the title #1814 Bugfix: update SHA Update SHA for go-containerregistry Apr 24, 2021
@alexeagle
Copy link
Contributor

Looks like it was broken by bazelbuild/continuous-integration@15fbac4
rules_docker asks for buildifier 0.22.0 which is very old, and its command line API is not compatible with how Bazel CI setup invokes it.
I'll update us to current.

@alexeagle alexeagle force-pushed the patch-1 branch 2 times, most recently from 0b40bc6 to bd94f03 Compare April 24, 2021 13:57
SrodriguezO
SrodriguezO reviewed Apr 24, 2021
View reviewed changes
repositories/go_repositories.bzl
@@ -39,7 +39,7 @@ def go_deps():
name = "com_github_google_go_containerregistry",
urls = ["https://api.github.com/repos/google/go-containerregistry/tarball/8a2841911ffee4f6892ca0083e89752fb46c48dd"], # v0.1.4
strip_prefix = "google-go-containerregistry-8a28419",
sha256 = "60b9a600affa5667bd444019a4e218b7752d8500cfa923c1ac54ce2f88f773e2",
sha256 = "cadb09cb5bcbe00688c73d716d1c9e774d6e4959abec4c425a1b995faf33e964",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not opposed to updating the sha, but is there nay concern the artifact was tampered with?

I'm not sure if this is relevant, but neither sha matches the shas of the artifacts for that version in the regular non-api project: #1814 (comment)

cc @alexeagle

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alexeagle @umeshkumhar thoughts on this? Do we know why the sha suddenly changed? And why it differs from those in the repo's release page?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SrodriguezO Not 100% sure, but this issue is raised with this commit ID. In this PR, you can see ko version is changed.

There are some reported issues where ko on version change has changed the tar hashes, which impacted SHA checks..More info here:
kubernetes/kubernetes#99376

One another possibility can be that the maintainer has re-published/ updated tarball, which caused SHA change, which I don't think have happened.

I have not explored to the root cause. Let me know if that helps

Copy link
Collaborator

@uhthomas uhthomas Apr 24, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

I'm facing an issue where using rules_docker v0.16.0 results in:

Checksum was cadb09cb5bcbe00688c73d716d1c9e774d6e4959abec4c425a1b995faf33e964 but wanted 60b9a600affa5667bd444019a4e218b7752d8500cfa923c1ac54ce2f88f773e2

The root cause is explained in ko-build/ko#315 and kubernetes/kubernetes#99376.

The TL;DR is that Kubernetes was using short hashes for versions, which may change in length over time. The hash is injected into the source through git archive.

This SHA256 change should fix things for now, but will eventually break again. The real solution will be to update the dependency to a commit after kubernetes/kubernetes@ab221b5.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Further, my solution to this problem, without updating from rules_docker v0.16.0, has been to explicitly pull in github.com/google/go-containerregistry v0.4.1 via rules_go.

See https://github.com/uhthomas/6f.io/compare/8548f56df648693c0e518454cfccad0792e48eb8..3915a86d6bd9c6a376198b1d1d79979a7d4c542f

@alexeagle
Suppress a failing test on RBE
5f5c218
@alexeagle
Vendor a GPG public key
db5346e 
The remote server we fetched it from was providing two different files (differing by a whitespace)
which caused the content hash to be unstable, making CI fail most of the time.

Note this hash was changed in the last month by
bazelbuild@08cddcc
so the instability has been here for a while.
@alexeagle alexeagle merged commit 0086a29 into bazelbuild:master Apr 24, 2021
@uhthomas uhthomas mentioned this pull request Apr 24, 2021
Closed
copybaranaut pushed a commit to pixie-io/pixie that referenced this pull request Apr 26, 2021
@vihangm @copybaranaut
Explicitly depend on google/go-containerregistry to workaround a rule…
65d92db 
…s_docker bug

Summary:
This is to work around bazelbuild/rules_docker#1814
For more context, also see bazelbuild/rules_docker#1815
and google/go-containerregistry#997

Test Plan: Jenkins build should run now.

Reviewers: zasgar, #third_party_approvers

Reviewed By: zasgar, #third_party_approvers

Differential Revision: https://phab.corp.pixielabs.ai/D8400

GitOrigin-RevId: 4d6cd51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SrodriguezO SrodriguezO SrodriguezO left review comments

@uhthomas uhthomas uhthomas left review comments

@alexeagle alexeagle alexeagle approved these changes

@gravypod gravypod Awaiting requested review from gravypod gravypod is a code owner

@pcj pcj Awaiting requested review from pcj pcj is a code owner

@smukherj1 smukherj1 Awaiting requested review from smukherj1 smukherj1 is a code owner

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@umeshkumhar @alexeagle @uhthomas @SrodriguezO