Adding VersionStream for apache-tika-3.2

[octo-sts]

No description provided.

[octo-sts]

🔄 Build Failed: Git Checkout Error

fatal: Remote branch 3.2 not found in upstream origin

Build Details

Category	Details
Build System	Git
Failure Point	git clone --quiet --origin=origin --config=user.name=Melange Build --config=user.email=melange-build@cgr.dev --config=advice.detachedHead=false --branch=3.2 --depth=1 https://github.com/apache/tika /tmp/tmp.J8HyrjVIPv

Root Cause Analysis 🔍

The build is attempting to clone Apache Tika repository with branch '3.2', but this is actually a tag, not a branch. The git clone command is incorrectly using --branch=3.2 when it should be using a tag reference instead.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• filebrowser/2.32.0-r4: cve remediation #49939

Suggested Changes

File: apache-tika-3.2.yaml

• replace at line 34-37 (pipeline git-checkout section)
  Original:

  - uses: git-checkout
    with:
      repository: https://github.com/apache/tika
      tag: ${{package.version}}
      expected-commit: 1cd5b3f43f4555ae8177b9f246d3e8836592ab3b

Replacement:

  - uses: git-checkout
    with:
      repository: https://github.com/apache/tika
      branch: main
      tag: ${{package.version}}
      expected-commit: 1cd5b3f43f4555ae8177b9f246d3e8836592ab3b

Click to expand fix analysis

Analysis

The similar fixed build failure shows a pattern where Git's branch specification was incorrectly used with what was actually a tag reference. In the example fix, the build was trying to use '--branch=v2.32.0' when v2.32.0 was a tag, not a branch. The key insight is that when working with Git repositories where specific versions are tagged rather than branched, the configuration needs to properly specify tag references instead of branch references.

Click to expand fix explanation

Explanation

The current build failure occurs because the Git checkout step is trying to use version '3.2' as a branch, but it's actually a tag in the Apache Tika repository. The error message "fatal: Remote branch 3.2 not found in upstream origin" clearly indicates this confusion.

In the Melange build system, when using the 'git-checkout' action with a tag, we need to specify both:

1. A valid branch to initially clone (typically 'main' or 'master')
2. The tag to checkout after cloning

The suggested fix adds the 'branch: main' parameter to ensure that Git first clones a valid branch before checking out the tag. This approach is correct because:

1. It follows the expected pattern for the git-checkout action when working with tags
2. It solves the root cause by not trying to directly clone a non-existent branch
3. The build will still end up at the correct commit specified by the tag and verified by the expected-commit hash

The Git operation will first clone the main branch and then checkout the specified tag, which is the intended behavior for building a specific version from a tag.

Click to expand alternative approaches

Alternative Approaches

• Another approach would be to use a direct reference to the tag in the git checkout command, like using 'ref: refs/tags/3.2' instead of specifying branch and tag separately.
• We could also modify the pipeline to use a specific commit directly with 'commit: 1cd5b3f43f4555ae8177b9f246d3e8836592ab3b' instead of using a tag reference, but this would make the build definition less clear about which version is being built.

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[ajayk]

https://downloads.apache.org/tika/3.2.0/CHANGES-3.2.0.txt seems GitHub doesn't have tags probably switch to one of the sources

[OddBloke]

This CVE isn't remediable, bumping the affected version causes compilation errors. It's already advisoried for previous releases.