Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to use merge commit hash in the source input #262

Open
3 tasks done
vivodi opened this issue Nov 1, 2024 · 4 comments
Open
3 tasks done

Unable to use merge commit hash in the source input #262

vivodi opened this issue Nov 1, 2024 · 4 comments

Comments

@vivodi
Copy link

vivodi commented Nov 1, 2024

Contributing guidelines

I've found a bug, and:

  • The documentation does not mention anything about my problem
  • There are no open or closed issues that are related to my problem

Description

Unable to use merge commit hash in the source input:

- uses: docker/bake-action@v5
  with:
    source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.pull_request.merge_commit_sha }}

This is equivalent to:

- uses: actions/checkout@v4
  with:
    ref: ${{ github.event.pull_request.merge_commit_sha }}
- uses: docker/bake-action@v5

docker/bake-action@v5 cannot find the merge commit, while actions/checkout@v4 can.

This bug prevents building a Docker image based on a merge commit in a pull_request_target event.

Expected behaviour

Image is successfully built based on merge commit.

Actual behaviour

docker/bake-action@v5 cannot find the merge commit, while actions/checkout@v4 can.

Parsing raw definition
  /usr/bin/docker buildx bake https://github.com/vivodi/docker-flexget.git#569a8e0674b0f11330577cddb340fbc67871e4f2 --file ./docker-bake.hcl --file cwd:///tmp/docker-metadata-action-bake.json --set *.tags= --set *.platform=linux/amd64 --set *.output=type=registry,name=***/flexget,push-by-digest=true --print image
  #0 building with "builder-fa364b82-62ea-463a-8441-ff9792a5355a" instance using docker-container driver
  
  #1 [internal] load git source https://github.com/vivodi/docker-flexget.git#569a8e0674b0f11330577cddb340fbc67871e4f2
  #1 0.020 Initialized empty Git repository in /var/lib/buildkit/runc-overlayfs/snapshots/snapshots/1/fs/
  #1 0.024 fatal: Not a valid object name 569a8e0674b0f11330577cddb340fbc67871e4f2^{commit}
  #1 0.353 From https://github.com/vivodi/docker-flexget
  #1 0.353  * [new branch]      dependabot/docker/python-3.13-alpine -> origin/dependabot/docker/python-3.13-alpine
  #1 0.353  * [new branch]      dependabot/pip/python-levenshtein-0.26.1 -> origin/dependabot/pip/python-levenshtein-0.26.1
  #1 0.353  * [new branch]      fix-workflow -> origin/fix-workflow
  #1 0.353  * [new branch]      main         -> origin/main
  #1 0.354  * [new branch]      main2        -> origin/main2
  #1 0.354  * [new branch]      readme       -> origin/readme
  #1 0.362 fatal: unable to read tree (569a8e0674b0f11330577cddb340fbc67871e4f2)
  #1 ERROR: failed to checkout remote https://github.com/vivodi/docker-flexget.git: git stderr:
  fatal: unable to read tree (569a8e0674b0f11330577cddb340fbc67871e4f2)
  : exit status 128
  ------
   > [internal] load git source https://github.com/vivodi/docker-flexget.git#569a8e0674b0f11330577cddb340fbc67871e4f2:
  0.020 Initialized empty Git repository in /var/lib/buildkit/runc-overlayfs/snapshots/snapshots/1/fs/
  0.024 fatal: Not a valid object name 569a8e0674b0f11330577cddb340fbc67871e4f2^{commit}
  0.353 From https://github.com/vivodi/docker-flexget
  0.353  * [new branch]      dependabot/docker/python-3.13-alpine -> origin/dependabot/docker/python-3.13-alpine
  0.353  * [new branch]      dependabot/pip/python-levenshtein-0.26.1 -> origin/dependabot/pip/python-levenshtein-0.26.1
  0.353  * [new branch]      fix-workflow -> origin/fix-workflow
  0.353  * [new branch]      main         -> origin/main
  0.354  * [new branch]      main2        -> origin/main2
  0.354  * [new branch]      readme       -> origin/readme
  0.362 fatal: unable to read tree (569a8e0674b0f11330577cddb340fbc67871e4f2)
  ------
  ERROR: failed to solve: failed to checkout remote https://github.com/vivodi/docker-flexget.git: git stderr:
  fatal: unable to read tree (569a8e0674b0f11330577cddb340fbc67871e4f2)
  : exit status 128
Error: cannot parse bake definitions: : exit status 128

Repository URL

No response

Workflow run URL

No response

YAML workflow

- uses: docker/bake-action@v5
  with:
    source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.pull_request.merge_commit_sha }}

Workflow logs

No response

BuildKit logs

No response

Additional info

No response

@crazy-max
Copy link
Member

I was looking at your last failed job in https://github.com/vivodi/docker-flexget/actions/runs/11629651174/job/32387025483#step:7:212

And doesn't seem commit 569a8e0674b0f11330577cddb340fbc67871e4f2 belongs to any branch on your repo as also shown on GitHub: https://github.com/vivodi/docker-flexget/tree/569a8e0674b0f11330577cddb340fbc67871e4f2.

Image

on a merge commit

I don't think you can safely rely on merge commit as this is a reference created by GitHub to keep track of what would happen if a pull request was merged and could therefore not be part of the working tree.

in a pull_request_target event.

Also why do you want to rely on pull_request_target and not pull_request? Fyi pull_request_target runs in the context of the base of the pull request, rather than in the context of the merge commit, as the pull_request event does so would not take any changes in your PR into account. Maybe that's why you need github.event.pull_request.merge_commit_sha but I'm confused on the purpose of your workflow.

- uses: docker/bake-action@v5
  with:
    source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.pull_request.merge_commit_sha }}

Did you try with?:

- uses: docker/bake-action@v5
  with:
    source: "{{defaultContext}}"

@vivodi
Copy link
Author

vivodi commented Nov 1, 2024

pull_request_target can access secrets, while pull_request cannot.

I want to publish Docker images generated by PRs for testing, just with running docker pull vivodi/flexget:pr-<pr number>. To publish images I have to use pull_request_target instead of pull_request because the workflow needs access to secrets. (I save my Docker Hub password in repo secrets for publishing.)

For pull_request_target, {{defaultContext}} gets the context of the base of the pull request, so it doesn't satisfy my need as I need the context of the merge commit.

I think it's safe to rely on merge commits as pull_request runs in the context of the merge commit.

Most importantly,

- uses: actions/checkout@v4
  with:
    ref: ${{ github.event.pull_request.merge_commit_sha }}
- uses: docker/bake-action@v5

works, but

- uses: docker/bake-action@v5
  with:
    source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.pull_request.merge_commit_sha }}

doesn't work, so I believe it's a bug with docker/bake-action.

@vivodi
Copy link
Author

vivodi commented Nov 1, 2024

Merge commits are indeed not part of the working tree, but pull_request use them as context, so it is safe. actions/checkout can read them successfully, but docker/bake-action cannot, so I believe it's a bug with docker/bake-action.

@crazy-max
Copy link
Member

actions/checkout can read them successfully, but docker/bake-action cannot, so I believe it's a bug with docker/bake-action.

This might be a buildkit bug in git source. actions/checkout probably has custom logic similar to docker/build-push-action#1222 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants