fontconfig/2.16.1 package update

[octo-sts]

[octo-sts]

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

• Detected Error: "Expected commit 127bb4dbfca7ba669eb40212ffcf24dd8f30351b for 2.16.1, found fdfc3445d1cc9c1c7e587fb2a1287871de16faf9"

• Error Category: Version/Commit mismatch

• Failure Point: Git checkout step during the build process

• Root Cause Analysis: The expected commit hash in the melange YAML doesn't match the actual commit hash for the 2.16.1 tag in the upstream repository

• Suggested Fix: Update the expected-commit hash in the git-checkout step to match the actual commit:

  - uses: git-checkout
    with:
      repository: https://gitlab.freedesktop.org/fontconfig/fontconfig.git
      tag: ${{package.version}}
      expected-commit: fdfc3445d1cc9c1c7e587fb2a1287871de16faf9

• Explanation: The build is failing because Melange's security check for verifying the expected commit hash doesn't match the actual commit hash for the 2.16.1 tag. This is a security feature to ensure the code being built matches what was intended. The fix updates the expected hash to match the current upstream tag.

• Additional Notes:

• This type of mismatch often occurs when upstream repositories modify their tags
• The commit hash verification is a security feature to prevent supply chain attacks
• You can verify the correct commit hash using:
  git ls-remote https://gitlab.freedesktop.org/fontconfig/fontconfig.git refs/tags/2.16.1

• References:

• https://gitlab.freedesktop.org/fontconfig/fontconfig/-/tags/2.16.1
• https://melange.build/docs/reference/pipelines/#git-checkout