Skip to content

python-3.13/3.13.11 package update #74858

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
xnox merged 2 commits into from
Dec 6, 2025
Merged

python-3.13/3.13.11 package update #74858

xnox merged 2 commits into from
Dec 6, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 5, 2025

Commit: 627894459a84be3488a1789919679c997056a03c

Note: If you need to make manual changes to this PR, apply the skip:staging-update-bot label so the reconciler won't overwrite them.

@octo-sts octo-sts bot added automated pr python-3.13 request-version-update request for a newer version of a package labels Dec 5, 2025
@octo-sts octo-sts bot requested review from a team as code owners December 5, 2025 21:11
@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr python-3.13 P0 This label indicates our scanning found CRITICAL CVEs for these packages. labels Dec 5, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 5, 2025
edited
Loading

🔄 Build Failed: Git Checkout Error

fatal: bad object 333d4a6f4967d3ace91492a39ededbcf3faa76a6

Build Details

Category Details
Build System melange
Failure Point git cherry-pick -x 333d4a6f4967d3ace91492a39ededbcf3faa76a6

Root Cause Analysis 🔍

The git cherry-pick operation failed because the specified commit hash 333d4a6f4967d3ace91492a39ededbcf3faa76a6 from branch 3.13 could not be found in the repository. This is a CVE-2025-8291 security patch that appears to be missing from the fetched branch or may have been rebased/modified since the build configuration was created.

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 5, 2025
@sergiodj
Copy link
Member

sergiodj commented Dec 5, 2025

This is failing because of chainguard-dev/melange#1473.

sergiodj added a commit to sergiodj/melange that referenced this pull request Dec 5, 2025
@sergiodj
git-checkout: Invoke git fetch with --unshallow
e402cb8 
Melange currently barfs on specific cherry-pick situations like the
one at wolfi-dev/os#74858 .  I spent some time
investigating this and found that this happens because the initial
`git clone` to fetch a tag is done in shallow mode, and then
subsequent `git fetch` commands will be constrained by the
"shallowness" that was created.  I was surprised to find @smoser's
chainguard-dev#1473 which pretty
much reached the same conclusion.

My suggestion is that we should bite the bullet here and just invoke
the `git fetch` that's run during `cherry-pick` using the
`--unshallow` option.  The downside is that this will pull in the
entire repository history, which can be a lot in some cases.

Signed-off-by: Sergio Durigan Junior <sergiodj@chainguard.dev>
@sergiodj sergiodj mentioned this pull request Dec 5, 2025
Merged
@sergiodj
python-3.13: Set git-checkout's depth to -1
8a25ebd 
This is a workaround for chainguard-dev/melange#1473

Signed-off-by: Sergio Durigan Junior <sergiodj@chainguard.dev>
@sergiodj
Copy link
Member

sergiodj commented Dec 5, 2025

I've pushed a workaround for now (setting depth: -1 when cloning the repo).

@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed staging-approver-bot/manual-review-needed approver-bot/manual-review-needed labels Dec 5, 2025
xnox
xnox approved these changes Dec 6, 2025
View reviewed changes
Copy link
Member

@xnox xnox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cve mentioned in scan is fixed by this point release.

Also I wonder if cherry picks should have been dropped with new point release. Can figure this out later.

@xnox xnox merged commit 1e55068 into main Dec 6, 2025
21 of 22 checks passed
@xnox xnox deleted the staging-update-bot/python-3.13.yaml branch December 6, 2025 06:00
sergiodj added a commit to sergiodj/melange that referenced this pull request Dec 8, 2025
@sergiodj
git-checkout: Invoke git fetch with --unshallow
607b429 
Melange currently barfs on specific cherry-pick situations like the
one at wolfi-dev/os#74858 .  I spent some time
investigating this and found that this happens because the initial
`git clone` to fetch a tag is done in shallow mode, and then
subsequent `git fetch` commands will be constrained by the
"shallowness" that was created.  I was surprised to find @smoser's
chainguard-dev#1473 which pretty
much reached the same conclusion.

My suggestion is that we should bite the bullet here and just invoke
the `git fetch` that's run during `cherry-pick` using the
`--unshallow` option.  The downside is that this will pull in the
entire repository history, which can be a lot in some cases.

Signed-off-by: Sergio Durigan Junior <sergiodj@chainguard.dev>
sergiodj added a commit to chainguard-dev/melange that referenced this pull request Dec 8, 2025
@sergiodj
git-checkout: Invoke git fetch with --unshallow (#2258)
149f46c 
Melange currently barfs on specific cherry-pick situations like the
one at wolfi-dev/os#74858 .  I spent some time
investigating this and found that this happens because the initial
`git clone` to fetch a tag is done in shallow mode, and then
subsequent `git fetch` commands will be constrained by the
"shallowness" that was created.  I was surprised to find @smoser's
#1473 which pretty
much reached the same conclusion.

My suggestion is that we should bite the bullet here and just invoke
the `git fetch` that's run during `cherry-pick` using the
`--unshallow` option.  The downside is that this will pull in the
entire repository history, which can be a lot in some cases.

Signed-off-by: Sergio Durigan Junior <sergiodj@chainguard.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xnox xnox xnox approved these changes

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR approver-bot/manual-review-needed automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed P0 This label indicates our scanning found CRITICAL CVEs for these packages. python-3.13 request-version-update request for a newer version of a package staging-approver-bot/manual-review-needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sergiodj @xnox