Skip to content

drupal-11/11.2.2 package update#59855

Closed
octo-sts[bot] wants to merge 1 commit intomainfrom
wolfictl-32551fb8-5547-41ea-905a-a7c891df5988
Closed

drupal-11/11.2.2 package update#59855
octo-sts[bot] wants to merge 1 commit intomainfrom
wolfictl-32551fb8-5547-41ea-905a-a7c891df5988

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jul 17, 2025

@wolfi-bot
drupal-11/11.2.2 package update
43548b8 
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr drupal-11 labels Jul 17, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jul 17, 2025

🔄 Build Failed: Git Checkout Error

FAIL Expected commit 4a1db0db3b144a42daa0887e904f942a55fe5b6b for 11.2.2, found 965123445745f50c7fc001c72a96650518c267d2

Build Details

Category Details
Build System git
Failure Point git checkout --quiet origin/tags/11.2.2

Root Cause Analysis 🔍

The build expects a specific commit hash (4a1db0db3b144a42daa0887e904f942a55fe5b6b) for Drupal tag 11.2.2, but found a different commit hash (965123445745f50c7fc001c72a96650518c267d2) when checking out the tag. This mismatch caused the build to fail as it enforces commit hash verification for security or reproducibility reasons.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: drupal-11.yaml

  • replace at line 100-102 (pipeline git-checkout section)
    Original:
  expected-commit: 4a1db0db3b144a42daa0887e904f942a55fe5b6b

Replacement:

  expected-commit: 965123445745f50c7fc001c72a96650518c267d2

Content:

Update the expected-commit hash to match the actual commit hash that tag 11.2.2 points to
Click to expand fix analysis

Analysis

After analyzing similar fixed build failures, a clear pattern emerges: in both examples, the issue involved a mismatch between the expected commit hash and the actual commit hash found when checking out a specific tag. In both cases, the fix was to update the expected-commit value in the git-checkout step to match the actual commit that the tag points to. The pattern shows that when upstream repositories change what commit a tag points to (often because they're using annotated tags that point to tag objects rather than directly to commits), the expected-commit value needs to be updated to match the actual commit hash that the tag resolves to.

Click to expand fix explanation

Explanation

The build is failing because the git tag "11.2.2" in the Drupal repository is pointing to commit 965123445745f50c7fc001c72a96650518c267d2, but the Melange YAML file expects it to point to 4a1db0db3b144a42daa0887e904f942a55fe5b6b. This mismatch is causing the build to fail.

The error occurs because Git tags can be changed by upstream maintainers to point to different commits, or they might be using annotated tags (which point to tag objects rather than directly to commits). When the Melange build system tries to verify the commit hash for security and reproducibility reasons, it finds a different commit than expected.

By updating the expected-commit value to 965123445745f50c7fc001c72a96650518c267d2 in the YAML file, we're acknowledging that this is the correct commit that the 11.2.2 tag now points to. This allows the build to proceed without triggering the commit hash verification error.

This change matches the pattern seen in both example fixes, where the expected-commit value was updated to match the actual commit that the tag points to. This approach ensures both security (by still verifying a specific commit) and functionality (by allowing the build to proceed with the correct commit).

Click to expand alternative approaches

Alternative Approaches

  • Instead of updating the expected-commit in the YAML file, we could check out a specific commit directly rather than a tag. This would bypass the tag resolution issue, but would make it harder to follow upstream version changes.
  • We could update both the drupal/drupal.git and drupal/recommended-project.git expected-commit values if both are affected. The error only mentions one mismatch, but it's possible both repositories need updating if they're supposed to be in sync.
  • We could update the update mechanism to verify commit hashes before building, adding logic to automatically update expected-commit values when tags change. This would be a more long-term solution but requires more significant changes to the build system.

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jul 17, 2025
@AmberArcadia
Copy link
Member

AmberArcadia commented Jul 18, 2025

Pretty sure this is a broken update PR that can be closed.

@octo-sts octo-sts bot deleted the wolfictl-32551fb8-5547-41ea-905a-a7c891df5988 branch July 19, 2025 00:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr drupal-11 request-version-update request for a newer version of a package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AmberArcadia @wolfi-bot