Adding VersionStream for gitlab-pages-18.6

[octo-sts]

No description provided.

[octo-sts]

🔄 Build Failed: Git Checkout Error

[git checkout] FAIL Expected commit 7bca874b3d408b732425cafd1d191d5953ed1a11 for v18.6.0, found 2c0f7c11200f3d701cc4fe6fbb4be0efa5587ba5

Build Details

Category	Details
Build System	melange
Failure Point	git checkout step during source code retrieval

Root Cause Analysis 🔍

The git checkout operation failed because the actual commit hash for tag v18.6.0 (2c0f7c11200f3d701cc4fe6fbb4be0efa5587ba5) does not match the expected commit hash (7bca874b3d408b732425cafd1d191d5953ed1a11) specified in the build configuration. This indicates either the tag was moved/updated in the upstream repository, or there's a mismatch in the build configuration's expected commit reference.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• Adding VersionStream for gitlab-pages-18.3 #64068
• Adding VersionStream for gitlab-kas-18.3 #64063

Suggested Changes

File: gitlab-pages-18.6.yaml

• modification at line 28 (pipeline[0].with.expected-commit)
  Original:

expected-commit: 7bca874b3d408b732425cafd1d191d5953ed1a11

Replacement:

expected-commit: 2c0f7c11200f3d701cc4fe6fbb4be0efa5587ba5

Content:

Update the expected-commit hash to match the actual commit hash that tag v18.6.0 points to in the upstream repository

Click to expand fix analysis

Analysis

Looking at the three similar fixes, there's a clear pattern: all failures were resolved by updating the expected-commit hash in the git-checkout step to match the actual commit hash found in the upstream repository. In all cases, the tag existed but pointed to a different commit than what was specified in the build configuration. The fixes involved replacing the old expected-commit value with the new commit hash that the tag actually points to (Fix #0: updated to b7cdc2ac78f7dabac1f9312ee96b6dedaf91171f, Fix #1 & #2: updated to 4578380d63e1b5f72146bf006dd52401dc2fc943). No other changes were made to the YAML files - the solution is simply updating the expected-commit field to reflect the current state of the upstream repository.

Click to expand fix explanation

Explanation

This fix should work because the error message clearly indicates that the build system found a different commit hash (2c0f7c11200f3d701cc4fe6fbb4be0efa5587ba5) than what was expected (7bca874b3d408b732425cafd1d191d5953ed1a11) for tag v18.6.0. This is exactly the same issue pattern seen in all three similar fixes, where upstream tags were pointing to different commits than specified in the build configuration. By updating the expected-commit field to match the actual commit hash that the tag points to, the git-checkout step will succeed because the verification will pass. The tag v18.6.0 exists and is valid, but it simply points to a different commit than originally configured, which is common when upstream repositories update or move tags.

Click to expand alternative approaches

Alternative Approaches

• Remove the expected-commit field entirely to allow any commit that the tag points to, though this reduces security validation
• Use a specific commit hash directly instead of a tag in the git-checkout step, but this would require monitoring upstream for security updates manually
• Implement automated commit hash updates in the CI/CD pipeline to detect and update mismatched commit hashes, though this adds complexity

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[dnegreira]

the sbom does not report the go version properly:

╰─$ wolfictl sbom gitlab-pages-18.6-18.6.0-r0-x86_64.apk | grep pages
🔎 Scanning "gitlab-pages-18.6-18.6.0-r0-x86_64.apk"
│       📦 gitlab-pages-18.6 18.6.0-r0 (apk)
└── 📄 /usr/bin/gitlab-pages
        📦 gitlab.com/gitlab-org/gitlab-pages v0.0.0-20251119165021-2c0f7c11200f+dirty (go-module)

[dnegreira]

I pushed a fix on that fixes it:
df1b9b6

─$ wolfictl sbom gitlab-pages-18.6-18.6.0-r0-x86_64.apk | grep pages
🔎 Scanning "gitlab-pages-18.6-18.6.0-r0-x86_64.apk"
│       📦 gitlab-pages-18.6 18.6.0-r0 (apk)
└── 📄 /usr/bin/gitlab-pages
        📦 gitlab.com/gitlab-org/gitlab-pages v18.6.0 (go-module)

[aborrero]

LGTM.