Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Branch reuse with update-lockfile can result in other lockfile downgrades #31042

Open
rarkins opened this issue Aug 27, 2024 Discussed in #29276 · 3 comments
Open

Branch reuse with update-lockfile can result in other lockfile downgrades #31042

rarkins opened this issue Aug 27, 2024 Discussed in #29276 · 3 comments
Labels
manager:poetry Poetry package manager priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others type:bug Bug fix of existing functionality

Comments

@rarkins
Copy link
Collaborator

rarkins commented Aug 27, 2024

Discussed in #29276

Originally posted by msw-kialo May 27, 2024

What would you like help with?

I think I found a bug

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

If a poetry branch is not rebased, but otherwise updated (e.g. new version released), Renovate will probably reuse the existing branch (reuseExistingBranch = true).
poetry will be executed branched off earlier, but the output will be pushed with the newest base branch commit as parent (potentially due to enabled platform commit).

Demonstration: https://github.com/msw-kialo/renovate-push-rebase

Specifically msw-kialo/renovate-push-rebase#1

Way to reproduce:

  1. Let renovate open PR for package (ideally that is frequently released, to make the bug surface quicker, i.e., boto3—released daily): Update dependency boto3 to v1.35.62 msw-kialo/renovate-push-rebase#1
  2. Another PR is merged Update dependency idna to v3.7 msw-kialo/renovate-push-rebase#2 in this case
  3. Update dependency boto3 to v1.35.62 msw-kialo/renovate-push-rebase#1 is updated to include the newest version: however, as renovate reused the branch it downgrades pyproject.toml / poetry.lock and therefore downgrades Update dependency idna to v3.7 msw-kialo/renovate-push-rebase#2

The branch update can be seen in https://github.com/msw-kialo/renovate-push-rebase/compare/a6b3d271f60a8dec3925e85dd2185e0012d67955..5c1ba312b5fa29e18900e53a06fb2339d8e48a29
The diff only displays the updated boto3 change. Not shown is the unintended downgrade due to the changed parent commit (that is visible in the PR diff view).

We initially observed with issue in the self-hosted version of renovate. We also use GitHub and enabled platform commits; this feature might be required to trigger this issue.

We are able to mitigate this issue by setting reuseExistingBranch = false:

renovate/lib/workers/repository/update/branch/reuse.ts

Line 120 in 8e6f89b

result.reuseExistingBranch = true;

Logs (if relevant)

Logs 
DEBUG: Branch already exists (branch="renovate/boto3-1.x-lockfile")
DEBUG: GET https://api.github.com/repos/msw-kialo/renovate-push-rebase/branches/main/protection = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=403 retryCount=0, duration=66) (branch="renovate/boto3-1.x-lockfile")
DEBUG: Endpoint: repos/msw-kialo/renovate-push-rebase/branches/main/protection, needs paid GitHub plan (branch="renovate/boto3-1.x-lockfile")
DEBUG: Branch protection: Do not have permissions to detect branch protection (branch="renovate/boto3-1.x-lockfile")
DEBUG: Skipping behind base branch check due to rebaseWhen=auto (branch="renovate/boto3-1.x-lockfile")
DEBUG: isBranchConflicted(main, renovate/boto3-1.x-lockfile) (branch="renovate/boto3-1.x-lockfile")
DEBUG: branch.isConflicted(): using cached result "false" (branch="renovate/boto3-1.x-lockfile")
DEBUG: Branch does not need rebasing (branch="renovate/boto3-1.x-lockfile")
DEBUG: Using reuseExistingBranch: true (branch="renovate/boto3-1.x-lockfile")
DEBUG: Setting current branch to main (branch="renovate/boto3-1.x-lockfile")
DEBUG: Initializing git repository into /tmp/renovate/repos/github/msw-kialo/renovate-push-rebase (branch="renovate/boto3-1.x-lockfile")
DEBUG: Performing blobless clone (branch="renovate/boto3-1.x-lockfile")
DEBUG: git clone completed (branch="renovate/boto3-1.x-lockfile")
{
  "durationMs": 517
}

DEBUG: latest repository commit (branch="renovate/boto3-1.x-lockfile")
{
  "latestCommit": {
    "hash": "c76a43d14e751b566bd89d042666b7d40d7f0c1f",
    "date": "2024-05-24T18:29:02+02:00",
    "message": "Merge pull request #2 from msw-kialo/renovate/idna-3.x",
    "refs": "HEAD -> main, origin/main, origin/HEAD",
    "body": "Update dependency idna to v3.7",
    "author_name": "Malte Swart",
    "author_email": "msw@kialo.com"
  }
}

DEBUG: latest commit (branch="renovate/boto3-1.x-lockfile")
{
  "branchName": "main"
  "latestCommitDate": "2024-05-24T18:29:02+02:00"
}

DEBUG: manager.getUpdatedPackageFiles() reuseExistingBranch=true (branch="renovate/boto3-1.x-lockfile")
DEBUG: poetry.updateLockedDependency: boto3@1.34.109 -> 1.34.113 [poetry.lock] (branch="renovate/boto3-1.x-lockfile")
DEBUG: updateArtifacts for nonUpdatedPackageFiles (branch="renovate/boto3-1.x-lockfile")
DEBUG: poetry.updateArtifacts(pyproject.toml) (branch="renovate/boto3-1.x-lockfile")
DEBUG: Updating poetry.lock (branch="renovate/boto3-1.x-lockfile")
DEBUG: Using python version from pyproject.toml (branch="renovate/boto3-1.x-lockfile")
DEBUG: Using poetry version 1.8.2 from poetry.lock header (branch="renovate/boto3-1.x-lockfile")
DEBUG: Setting CONTAINERBASE_CACHE_DIR to /tmp/renovate/cache/containerbase (branch="renovate/boto3-1.x-lockfile")
DEBUG: Using containerbase dynamic installs (branch="renovate/boto3-1.x-lockfile")
DEBUG: Resolved stable matching version (branch="renovate/boto3-1.x-lockfile")
{
  "toolName": "python"
  "constraint": ">=3.10"
  "resolvedVersion": "3.12.3"
}

DEBUG: Executing command (branch="renovate/boto3-1.x-lockfile")
{
  "command": "install-tool python 3.12.3"
}

DEBUG: exec completed (branch="renovate/boto3-1.x-lockfile")
{
  "durationMs": 21641
  "stdout": "[22:21:44.541] INFO (67): Installing tool python@3.12.3...\ninstalling v2 tool python v3.12.3\nlinking tool python v3.12.3\nPython 3.12.3\npip 24.0 from /opt/containerbase/tools/python/3.12.3/lib/python3.12/site-packages/pip (python 3.12)\n[22:22:04.895] INFO (67): Installed tool python in 20.3s.\n"
  "stderr": ""
}

DEBUG: Executing command (branch="renovate/boto3-1.x-lockfile")
{
  "command": "install-tool poetry 1.8.2"
}

DEBUG: exec completed (branch="renovate/boto3-1.x-lockfile")
{
  "durationMs": 25984
  "stdout": "[22:22:06.505] INFO (229): Installing tool poetry@1.8.2...\ninstalling v2 tool poetry v1.8.2\nlinking tool poetry v1.8.2\nPoetry (version 1.8.2)\n[22:22:31.014] INFO (229): Installed tool poetry in 24.5s.\n"
  "stderr": ""
}

DEBUG: Executing command (branch="renovate/boto3-1.x-lockfile")
{
  "command": "poetry update --lock --no-interaction boto3"
}

DEBUG: exec completed (branch="renovate/boto3-1.x-lockfile")
{
  "durationMs": 4196
  "stdout": "Updating dependencies\nResolving dependencies...\n\nWriting lock file\n"
  "stderr": "Creating virtualenv msw-Be_y1VtG-py3.12 in /home/ubuntu/.cache/pypoetry/virtualenvs\n"
}

DEBUG: Returning updated poetry.lock (branch="renovate/boto3-1.x-lockfile")
DEBUG: Updated 1 package files (branch="renovate/boto3-1.x-lockfile")
DEBUG: Updated 1 lock files (branch="renovate/boto3-1.x-lockfile")
{
  "updatedArtifacts": [
    "poetry.lock"
  ]
}

DEBUG: Getting comments for #1 (branch="renovate/boto3-1.x-lockfile")
DEBUG: http cache: saving https://api.github.com/repos/msw-kialo/renovate-push-rebase/issues/1/comments?per_page=100 (etag="4abcb53f92f716d6f23a8fbd926847f05da16f952642ad8291a436389ef03769", lastModified=undefined) (branch="renovate/boto3-1.x-lockfile")
DEBUG: Found 0 comments (branch="renovate/boto3-1.x-lockfile")
DEBUG: Getting comments for #1 (branch="renovate/boto3-1.x-lockfile")
DEBUG: http cache: saving https://api.github.com/repos/msw-kialo/renovate-push-rebase/issues/1/comments?per_page=100 (etag="4abcb53f92f716d6f23a8fbd926847f05da16f952642ad8291a436389ef03769", lastModified=undefined) (branch="renovate/boto3-1.x-lockfile")
DEBUG: Found 0 comments (branch="renovate/boto3-1.x-lockfile")
DEBUG: 2 file(s) to commit (branch="renovate/boto3-1.x-lockfile")
DEBUG: Preparing files for committing to branch renovate/boto3-1.x-lockfile (branch="renovate/boto3-1.x-lockfile")
DEBUG: Setting git author name: renovate[bot] (branch="renovate/boto3-1.x-lockfile")
DEBUG: Setting git author email: 29139614+renovate[bot]@users.noreply.github.com (branch="renovate/boto3-1.x-lockfile")
DEBUG: git commit (branch="renovate/boto3-1.x-lockfile")
{
  "deletedFiles": []
  "ignoredFiles": []
  "result": {
    "author": null,
    "branch": "renovate/boto3-1.x-lockfile",
    "commit": "cbcb16bf6a494b9f860a48210b19b9769d1039f0",
    "root": false,
    "summary": {
      "changes": 2,
      "insertions": 13,
      "deletions": 13
    }
  }
}

DEBUG: HEAD https://api.github.com/repos/msw-kialo/renovate-push-rebase/git/refs/heads/renovate/boto3-1.x-lockfile/ = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=404 retryCount=0, duration=101) (branch="renovate/boto3-1.x-lockfile")
DEBUG: resetToCommit(c76a43d14e751b566bd89d042666b7d40d7f0c1f) (branch="renovate/boto3-1.x-lockfile")
DEBUG: Fetching branch renovate/boto3-1.x-lockfile (branch="renovate/boto3-1.x-lockfile")
DEBUG: Setting current branch to main (branch="renovate/boto3-1.x-lockfile")
DEBUG: latest commit (branch="renovate/boto3-1.x-lockfile")
{
  "branchName": "main"
  "latestCommitDate": "2024-05-24T18:29:02+02:00"
}

INFO: Branch updated (branch="renovate/boto3-1.x-lockfile")
{
  "commitSha": "5c1ba312b5fa29e18900e53a06fb2339d8e48a29"
}

DEBUG: Ensuring PR (branch="renovate/boto3-1.x-lockfile")
DEBUG: There are 0 errors and 0 warnings (branch="renovate/boto3-1.x-lockfile")
DEBUG: getBranchPr(renovate/boto3-1.x-lockfile) (branch="renovate/boto3-1.x-lockfile")
DEBUG: findPr(renovate/boto3-1.x-lockfile, undefined, open) (branch="renovate/boto3-1.x-lockfile")
DEBUG: Found PR #1 (branch="renovate/boto3-1.x-lockfile")
DEBUG: getPrCache() (branch="renovate/boto3-1.x-lockfile")
DEBUG: Found existing PR (branch="renovate/boto3-1.x-lockfile")
DEBUG: PR fingerprints mismatch, processing PR (branch="renovate/boto3-1.x-lockfile")
DEBUG: Fetching changelog: https://github.com/boto/boto3 (1.34.109 -> 1.34.113) (branch="renovate/boto3-1.x-lockfile")
DEBUG: Processing existing PR (branch="renovate/boto3-1.x-lockfile")
DEBUG: PR title changed (branch="renovate/boto3-1.x-lockfile")
{
  "branchName": "renovate/boto3-1.x-lockfile"
  "oldPrTitle": "Update dependency boto3 to v1.34.112"
  "newPrTitle": "Update dependency boto3 to v1.34.113"
}

DEBUG: updatePr(1, Update dependency boto3 to v1.34.113, body) (branch="renovate/boto3-1.x-lockfile")
DEBUG: PR updated...prNo: 1 (branch="renovate/boto3-1.x-lockfile")
INFO: PR updated (branch="renovate/boto3-1.x-lockfile")
{
  "pr": 1
  "prTitle": "Update dependency boto3 to v1.34.113"
}
@rarkins rarkins added type:bug Bug fix of existing functionality priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others manager:poetry Poetry package manager labels Aug 27, 2024
@renovatebot renovatebot deleted a comment Aug 27, 2024
@rarkins
Copy link
Collaborator Author

rarkins commented Aug 27, 2024

I'm going to try to annotate the relevant parts of the logs:

DEBUG: Branch already exists (branch="renovate/boto3-1.x-lockfile")
DEBUG: GET https://api.github.com/repos/msw-kialo/renovate-push-rebase/branches/main/protection = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=403 retryCount=0, duration=66) (branch="renovate/boto3-1.x-lockfile")
DEBUG: Endpoint: repos/msw-kialo/renovate-push-rebase/branches/main/protection, needs paid GitHub plan (branch="renovate/boto3-1.x-lockfile")
DEBUG: Branch protection: Do not have permissions to detect branch protection (branch="renovate/boto3-1.x-lockfile")
DEBUG: Skipping behind base branch check due to rebaseWhen=auto (branch="renovate/boto3-1.x-lockfile")
DEBUG: isBranchConflicted(main, renovate/boto3-1.x-lockfile) (branch="renovate/boto3-1.x-lockfile")
DEBUG: branch.isConflicted(): using cached result "false" (branch="renovate/boto3-1.x-lockfile")
DEBUG: Branch does not need rebasing (branch="renovate/boto3-1.x-lockfile")

This part confirms that the branch exists but does not need rebasing due to branch rebase config. I believe the above to all be correct.

DEBUG: Using reuseExistingBranch: true (branch="renovate/boto3-1.x-lockfile")
DEBUG: Setting current branch to main (branch="renovate/boto3-1.x-lockfile")

I believe that reuseExistingBranch=true is normal behavior, although not sure why we then set the branch to main immediately after.

DEBUG: Initializing git repository into /tmp/renovate/repos/github/msw-kialo/renovate-push-rebase (branch="renovate/boto3-1.x-lockfile")
DEBUG: Performing blobless clone (branch="renovate/boto3-1.x-lockfile")
DEBUG: git clone completed (branch="renovate/boto3-1.x-lockfile")
{
  "durationMs": 517
}

Cloning here is expected if this is the first time we've needed to do any git work

DEBUG: latest repository commit (branch="renovate/boto3-1.x-lockfile")
{
  "latestCommit": {
    "hash": "c76a43d14e751b566bd89d042666b7d40d7f0c1f",
    "date": "2024-05-24T18:29:02+02:00",
    "message": "Merge pull request #2 from msw-kialo/renovate/idna-3.x",
    "refs": "HEAD -> main, origin/main, origin/HEAD",
    "body": "Update dependency idna to v3.7",
    "author_name": "Malte Swart",
    "author_email": "msw@kialo.com"
  }
}

DEBUG: latest commit (branch="renovate/boto3-1.x-lockfile")
{
  "branchName": "main"
  "latestCommitDate": "2024-05-24T18:29:02+02:00"
}

This part above seems correct. We can see that the main branch includes the v3.7 upgrade for idna.

DEBUG: manager.getUpdatedPackageFiles() reuseExistingBranch=true (branch="renovate/boto3-1.x-lockfile")

Here Renovate tries to assess if the branch needs any more updates or if it's up to date.

DEBUG: poetry.updateLockedDependency: boto3@1.34.109 -> 1.34.113 [poetry.lock] (branch="renovate/boto3-1.x-lockfile")
DEBUG: updateArtifacts for nonUpdatedPackageFiles (branch="renovate/boto3-1.x-lockfile")
DEBUG: poetry.updateArtifacts(pyproject.toml) (branch="renovate/boto3-1.x-lockfile")
DEBUG: Updating poetry.lock (branch="renovate/boto3-1.x-lockfile")
DEBUG: Using python version from pyproject.toml (branch="renovate/boto3-1.x-lockfile")
DEBUG: Using poetry version 1.8.2 from poetry.lock header (branch="renovate/boto3-1.x-lockfile")
DEBUG: Setting CONTAINERBASE_CACHE_DIR to /tmp/renovate/cache/containerbase (branch="renovate/boto3-1.x-lockfile")
DEBUG: Using containerbase dynamic installs (branch="renovate/boto3-1.x-lockfile")
DEBUG: Resolved stable matching version (branch="renovate/boto3-1.x-lockfile")
{
  "toolName": "python"
  "constraint": ">=3.10"
  "resolvedVersion": "3.12.3"
}

DEBUG: Executing command (branch="renovate/boto3-1.x-lockfile")
{
  "command": "install-tool python 3.12.3"
}

DEBUG: exec completed (branch="renovate/boto3-1.x-lockfile")
{
  "durationMs": 21641
  "stdout": "[22:21:44.541] INFO (67): Installing tool python@3.12.3...\ninstalling v2 tool python v3.12.3\nlinking tool python v3.12.3\nPython 3.12.3\npip 24.0 from /opt/containerbase/tools/python/3.12.3/lib/python3.12/site-packages/pip (python 3.12)\n[22:22:04.895] INFO (67): Installed tool python in 20.3s.\n"
  "stderr": ""
}

DEBUG: Executing command (branch="renovate/boto3-1.x-lockfile")
{
  "command": "install-tool poetry 1.8.2"
}

DEBUG: exec completed (branch="renovate/boto3-1.x-lockfile")
{
  "durationMs": 25984
  "stdout": "[22:22:06.505] INFO (229): Installing tool poetry@1.8.2...\ninstalling v2 tool poetry v1.8.2\nlinking tool poetry v1.8.2\nPoetry (version 1.8.2)\n[22:22:31.014] INFO (229): Installed tool poetry in 24.5s.\n"
  "stderr": ""
}

DEBUG: Executing command (branch="renovate/boto3-1.x-lockfile")
{
  "command": "poetry update --lock --no-interaction boto3"
}

DEBUG: exec completed (branch="renovate/boto3-1.x-lockfile")
{
  "durationMs": 4196
  "stdout": "Updating dependencies\nResolving dependencies...\n\nWriting lock file\n"
  "stderr": "Creating virtualenv msw-Be_y1VtG-py3.12 in /home/ubuntu/.cache/pypoetry/virtualenvs\n"
}

DEBUG: Returning updated poetry.lock (branch="renovate/boto3-1.x-lockfile")

The above is all as expected, including that the poetry.lock needed updating.

DEBUG: Updated 1 package files (branch="renovate/boto3-1.x-lockfile")

I'm not sure about this line, I assume it's the undesired pyproject.toml downgrade

DEBUG: Updated 1 lock files (branch="renovate/boto3-1.x-lockfile")
{
  "updatedArtifacts": [
    "poetry.lock"
  ]
}

This seems as expected.

DEBUG: Getting comments for #1 (branch="renovate/boto3-1.x-lockfile")
DEBUG: http cache: saving https://api.github.com/repos/msw-kialo/renovate-push-rebase/issues/1/comments?per_page=100 (etag="4abcb53f92f716d6f23a8fbd926847f05da16f952642ad8291a436389ef03769", lastModified=undefined) (branch="renovate/boto3-1.x-lockfile")
DEBUG: Found 0 comments (branch="renovate/boto3-1.x-lockfile")
DEBUG: Getting comments for #1 (branch="renovate/boto3-1.x-lockfile")
DEBUG: http cache: saving https://api.github.com/repos/msw-kialo/renovate-push-rebase/issues/1/comments?per_page=100 (etag="4abcb53f92f716d6f23a8fbd926847f05da16f952642ad8291a436389ef03769", lastModified=undefined) (branch="renovate/boto3-1.x-lockfile")
DEBUG: Found 0 comments (branch="renovate/boto3-1.x-lockfile")
DEBUG: 2 file(s) to commit (branch="renovate/boto3-1.x-lockfile")

I'm not sure why there's 2 files

DEBUG: Preparing files for committing to branch renovate/boto3-1.x-lockfile (branch="renovate/boto3-1.x-lockfile")
DEBUG: Setting git author name: renovate[bot] (branch="renovate/boto3-1.x-lockfile")
DEBUG: Setting git author email: 29139614+renovate[bot]@users.noreply.github.com (branch="renovate/boto3-1.x-lockfile")
DEBUG: git commit (branch="renovate/boto3-1.x-lockfile")
{
  "deletedFiles": []
  "ignoredFiles": []
  "result": {
    "author": null,
    "branch": "renovate/boto3-1.x-lockfile",
    "commit": "cbcb16bf6a494b9f860a48210b19b9769d1039f0",
    "root": false,
    "summary": {
      "changes": 2,
      "insertions": 13,
      "deletions": 13
    }
  }
}

DEBUG: HEAD https://api.github.com/repos/msw-kialo/renovate-push-rebase/git/refs/heads/renovate/boto3-1.x-lockfile/ = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=404 retryCount=0, duration=101) (branch="renovate/boto3-1.x-lockfile")
DEBUG: resetToCommit(c76a43d14e751b566bd89d042666b7d40d7f0c1f) (branch="renovate/boto3-1.x-lockfile")
DEBUG: Fetching branch renovate/boto3-1.x-lockfile (branch="renovate/boto3-1.x-lockfile")
DEBUG: Setting current branch to main (branch="renovate/boto3-1.x-lockfile")
DEBUG: latest commit (branch="renovate/boto3-1.x-lockfile")
{
  "branchName": "main"
  "latestCommitDate": "2024-05-24T18:29:02+02:00"
}

Here is sets the "new" content (which includes the old ida version) on top of the main branch?

INFO: Branch updated (branch="renovate/boto3-1.x-lockfile")
{
  "commitSha": "5c1ba312b5fa29e18900e53a06fb2339d8e48a29"
}

And at this point we have already committed the mistake.

It's been a long time since I looked at this logic, but I think that if (a) reuseExistingBranch=true, and (b) changes are found, then (c) we should abort and instead retry with reuseExistingBranch=false

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
manager:poetry Poetry package manager priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others type:bug Bug fix of existing functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rarkins and others