Skip to content

DNM: testing #52880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rawlingsj wants to merge 1 commit into from
Closed

DNM: testing #52880

rawlingsj wants to merge 1 commit into from

Conversation

@rawlingsj
Copy link
Member

@rawlingsj rawlingsj commented May 8, 2025

No description provided.

@rawlingsj
DNM: testing
d7c0d43 
Signed-off-by: James Rawlings <jrawlings@chainguard.dev>
@octo-sts
Copy link
Contributor

octo-sts bot commented May 8, 2025

📦 Build Failed: Missing Dependency

package github.com/go-jose/go-jose/v3 was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category Details
Build System Go
Failure Point go/bump step during gobump execution

Root Cause Analysis 🔍

The build is trying to update github.com/go-jose/go-jose/v3 using gobump, but this package is not listed in the go.mod file. Gobump requires packages to either exist in go.mod already or be explicitly listed in the 'replaces' configuration.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: gitlab-runner-17.11.yaml

  • modification at line 96-101 (go/bump step for machine module)

    Original:

      - uses: go/bump
  with:
    modroot: ./machine
    deps: |-
      golang.org/x/crypto@v0.37.0
      golang.org/x/oauth2@v0.27.0
      github.com/golang-jwt/jwt/v4@v4.5.2
      golang.org/x/net@v0.38.0
      github.com/go-jose/go-jose/v3@v3.0.4

    Replacement:

      - uses: go/bump
  with:
    modroot: ./machine
    deps: |-
      golang.org/x/crypto@v0.37.0
      golang.org/x/oauth2@v0.27.0
      github.com/golang-jwt/jwt/v4@v4.5.2
      golang.org/x/net@v0.38.0

  • addition at line 101 (After the first go/bump step)

    Replacement:

      - uses: go/bump
  with:
    modroot: ./machine
    deps: |-
      github.com/go-jose/go-jose/v3@v3.0.4
    replaces: github.com/go-jose/go-jose/v3=github.com/go-jose/go-jose/v3@v3.0.4
Click to expand fix analysis

Analysis

Based on the similar fixed build failures, there's a clear pattern when dealing with the error "package github.com/go-jose/go-jose/v3 was not found on the go.mod file". In all three examples, the issue was resolved by modifying how the package is referenced in the go/bump step. The common solutions were:

  1. Add a dedicated go/bump step with the specific package that's causing the error (Fix Example #0)
  2. Ensure the package is listed in the correct modroot context (Fix Examples Add binutils-2.39 configuration #1 and Add pax-utils into the OS. #2)
  3. Remove the problematic package from one go/bump step and specify it correctly in another

The current issue involves attempting to update github.com/go-jose/go-jose/v3 in the machine subdirectory's go.mod file, but it's being referenced in a way that doesn't match where the dependency is actually declared.

Click to expand fix explanation

Explanation

The error message indicates that github.com/go-jose/go-jose/v3 is not found in the go.mod file when the go/bump step tries to update it. This typically happens when a package is not directly listed as a dependency in the module's go.mod file.

The fix creates a separate go/bump step specifically for the problematic package and includes it in the replaces directive. This approach tells the Go toolchain to explicitly replace any references to this package with the specified version, even if it's not directly listed in the go.mod file.

By separating this particular dependency into its own step with the replaces directive, we ensure that:

  1. The package can be properly processed by go/bump even if it's a transitive dependency not directly listed in go.mod
  2. The version is explicitly set to v3.0.4 as required
  3. We maintain the same modroot context (./machine) to ensure we're working with the correct module

This approach aligns with how similar issues were resolved in the example fixes, particularly the pattern seen in Fix Examples #1 and #2 where problematic packages were either removed or specified with explicit replace directives.

Click to expand alternative approaches

Alternative Approaches

  • Remove github.com/go-jose/go-jose/v3 from the dependencies list entirely if it's not directly needed. This approach works if the package is only a transitive dependency that doesn't need explicit version pinning.
  • Add the dependency directly to the machine's go.mod file by running a manual go get step before the go/bump step. This would allow the dependency to be recognized during the bump process.
  • Move the github.com/go-jose/go-jose/v3 dependency to the main go/bump step (outside the machine directory) if it's actually needed for the main module rather than the machine submodule.

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label May 8, 2025
@rawlingsj rawlingsj closed this May 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rawlingsj