Golang Docker containers updated to a non-stable version. 1.17.7 to 1.18rc1

atc0005 commented 2 years ago

Package ecosystem

docker

Package manager version

N/A ?

Language version

N/A ?

Manifest location and content prior to update

PRs were submitted to update these from 1.17.7 to 18rc1:

/stable/combined/Dockerfile
/stable/build/mirror/Dockerfile
/stable/build/debian/Dockerfile
/stable/build/alpine-x64/Dockerfile

These files were successfully updated:

/oldstable/Dockerfile
- uses version constraints that limit to only the 1.16.x series
- continues to work fine since implementing as a response to #2644
/stable/build/alpine-x86/Dockerfile
- PR provided to update from 1.17.7 to 1.17.8 (as expected)

The branch was at this point in time when the PRs were submitted:

https://github.com/atc0005/go-ci/tree/82e831662089b357f00caee59a48c8e97e989c7d

dependabot.yml content

https://github.com/atc0005/go-ci/blob/c9265b73b574006d53cfdedbc7d9e8f933ca5ff8/.github/dependabot.yml

Updated dependency

Go Docker containers

What you expected to see, versus what you actually saw

Actually saw
- PRs were submitted to update stable Go Docker containers from 1.17.7 to 1.18rc1.
Expected to see
- PRs to update use of 1.17.7 containers to 1.17.8 containers (as I've seen in prior Dependabot authored PRs).

Native package manager behavior

N/A

Images of the diff or a link to the PR, issue or logs

🕹 Bonus points: Smallest manifest that reproduces the issue

Apologies, I'm not certain what settings in the Dependabot configuration are irrelevant, so do not want to strip out any details which might make this harder to troubleshoot.

atc0005 commented 2 years ago

PRs were submitted to update these from 1.17.7 to 18rc1:

/stable/combined/Dockerfile

Log output from a recent recheck against this file:

proxy | time="2022-03-04T13:18:22Z" level=info msg="proxy starting" commit=0cfe6fc8a85a641097e4d9faf5c8349b892b1e40
  proxy | 2022/03/04 13:18:22 Listening (:1080)
updater | 2022-03-04T13:18:22.932365486 [anonymous-instance:main:WARN:src/firecracker/src/main.rs:370] You are using a deprecated parameter: --seccomp-level 2, that will be removed in a future version.
updater | 2022-03-04T13:18:22.998264022 [310057742:main:WARN:src/devices/src/legacy/serial.rs:432] Detached the serial input due to peer close/error.
updater | time="2022-03-04T13:18:25Z" level=info msg="guest starting" commit=a5729a532c883b4e3cd2f515bc51b56439833597
updater | time="2022-03-04T13:18:25Z" level=info msg="starting job..." fetcher_timeout=5m0s job_id=310057742 updater_timeout=45m0s updater_version=0.176.0-cd3d79e20e6bf666ffd2378bf45b74abd83328ca
updater | I, [2022-03-04T13:18:28.745166 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_310057742> Starting job processing
  proxy | 2022/03/04 13:18:34 [002] GET https://api.github.com:443/repos/atc0005/go-ci/git/refs/heads/master
  proxy | 2022/03/04 13:18:34 [002] * authenticating github api request
  proxy | 2022/03/04 13:18:34 [002] 200 https://api.github.com:443/repos/atc0005/go-ci/git/refs/heads/master
  proxy | 2022/03/04 13:18:34 [004] GET https://api.github.com:443/repos/atc0005/go-ci/contents/stable/combined?ref=9a7309e4fba697b15cbb32a0380a3b5c51010589
  proxy | 2022/03/04 13:18:34 [004] * authenticating github api request
  proxy | 2022/03/04 13:18:34 [004] 200 https://api.github.com:443/repos/atc0005/go-ci/contents/stable/combined?ref=9a7309e4fba697b15cbb32a0380a3b5c51010589
  proxy | 2022/03/04 13:18:34 [006] GET https://api.github.com:443/repos/atc0005/go-ci/contents/stable/combined/Dockerfile?ref=9a7309e4fba697b15cbb32a0380a3b5c51010589
  proxy | 2022/03/04 13:18:34 [006] * authenticating github api request
  proxy | 2022/03/04 13:18:34 [006] 200 https://api.github.com:443/repos/atc0005/go-ci/contents/stable/combined/Dockerfile?ref=9a7309e4fba697b15cbb32a0380a3b5c51010589
updater | INFO <job_310057742> Finished job processing
updater | time="2022-03-04T13:18:34Z" level=info msg="task complete" container_id=job-310057742-file-fetcher exit_code=0 job_id=310057742 step=fetcher
updater | I, [2022-03-04T13:18:36.659853 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_310057742> Starting job processing
updater | INFO <job_310057742> Starting update job for atc0005/go-ci
updater | INFO <job_310057742> Checking if golang 1.17.7 needs updating
  proxy | 2022/03/04 13:18:39 [010] GET https://registry.hub.docker.com:443/v2/library/golang/tags/list
  proxy | 2022/03/04 13:18:39 [010] 401 https://registry.hub.docker.com:443/v2/library/golang/tags/list
  proxy | 2022/03/04 13:18:39 [012] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:39 [012] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:39 [014] GET https://registry.hub.docker.com:443/v2/library/golang/tags/list
  proxy | 2022/03/04 13:18:40 [014] 200 https://registry.hub.docker.com:443/v2/library/golang/tags/list
  proxy | 2022/03/04 13:18:40 [016] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/latest
  proxy | 2022/03/04 13:18:40 [016] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/latest
  proxy | 2022/03/04 13:18:40 [018] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:40 [018] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:40 [020] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/latest
  proxy | 2022/03/04 13:18:40 [020] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/latest
  proxy | 2022/03/04 13:18:40 [022] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.18rc1
  proxy | 2022/03/04 13:18:40 [022] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.18rc1
  proxy | 2022/03/04 13:18:40 [024] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:40 [024] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:40 [026] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.18rc1
  proxy | 2022/03/04 13:18:40 [026] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.18rc1
  proxy | 2022/03/04 13:18:40 [028] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.18beta2
  proxy | 2022/03/04 13:18:40 [028] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.18beta2
  proxy | 2022/03/04 13:18:40 [030] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:40 [030] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:40 [032] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.18beta2
  proxy | 2022/03/04 13:18:40 [032] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.18beta2
  proxy | 2022/03/04 13:18:40 [034] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.18beta1
  proxy | 2022/03/04 13:18:40 [034] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.18beta1
  proxy | 2022/03/04 13:18:40 [036] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:40 [036] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:40 [038] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.18beta1
  proxy | 2022/03/04 13:18:41 [038] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.18beta1
  proxy | 2022/03/04 13:18:41 [040] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.8
  proxy | 2022/03/04 13:18:41 [040] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.8
  proxy | 2022/03/04 13:18:41 [042] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [042] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [044] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.8
  proxy | 2022/03/04 13:18:41 [044] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.8
  proxy | 2022/03/04 13:18:41 [046] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.7
  proxy | 2022/03/04 13:18:41 [046] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.7
  proxy | 2022/03/04 13:18:41 [048] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [048] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [050] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.7
  proxy | 2022/03/04 13:18:41 [050] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.7
  proxy | 2022/03/04 13:18:41 [052] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.6
  proxy | 2022/03/04 13:18:41 [052] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.6
  proxy | 2022/03/04 13:18:41 [054] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [054] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [056] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.6
  proxy | 2022/03/04 13:18:41 [056] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.6
  proxy | 2022/03/04 13:18:41 [058] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.5
  proxy | 2022/03/04 13:18:41 [058] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.5
  proxy | 2022/03/04 13:18:41 [060] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [060] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [062] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.5
  proxy | 2022/03/04 13:18:41 [062] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.5
  proxy | 2022/03/04 13:18:41 [064] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.4
  proxy | 2022/03/04 13:18:41 [064] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.4
  proxy | 2022/03/04 13:18:41 [066] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [066] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [068] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.4
  proxy | 2022/03/04 13:18:41 [068] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.4
  proxy | 2022/03/04 13:18:41 [070] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.3
  proxy | 2022/03/04 13:18:41 [070] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.3
  proxy | 2022/03/04 13:18:41 [072] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [072] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [074] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.3
  proxy | 2022/03/04 13:18:41 [074] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.3
  proxy | 2022/03/04 13:18:41 [076] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.2
  proxy | 2022/03/04 13:18:41 [076] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.2
  proxy | 2022/03/04 13:18:41 [078] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [078] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [080] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.2
  proxy | 2022/03/04 13:18:41 [080] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.2
  proxy | 2022/03/04 13:18:41 [082] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.1
  proxy | 2022/03/04 13:18:41 [082] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.1
  proxy | 2022/03/04 13:18:41 [084] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [084] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:41 [086] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.1
  proxy | 2022/03/04 13:18:41 [086] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.1
  proxy | 2022/03/04 13:18:41 [088] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.0
  proxy | 2022/03/04 13:18:41 [088] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.0
  proxy | 2022/03/04 13:18:42 [090] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:42 [090] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:42 [092] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.0
  proxy | 2022/03/04 13:18:42 [092] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17.0
  proxy | 2022/03/04 13:18:42 [094] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17
  proxy | 2022/03/04 13:18:42 [094] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17
  proxy | 2022/03/04 13:18:42 [096] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:42 [096] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2022/03/04 13:18:42 [098] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17
  proxy | 2022/03/04 13:18:42 [098] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.17
updater | INFO <job_310057742> Latest version is 1.18rc1
updater | INFO <job_310057742> Pull request already exists for golang with latest version 1.18rc1
updater | INFO <job_310057742> Finished job processing
updater | time="2022-03-04T13:18:42Z" level=info msg="task complete" container_id=job-310057742-updater exit_code=0 job_id=310057742 step=updater

I had just removed this setting to see if maybe it was allowing non-stable container versions to be considered as a valid stable version updates:

    allow:
      - dependency-type: "all"

jeffwidman commented 2 years ago

I saw this recently too in a private repo where Dependabot tried to go from go 1.18 -> 1.19rc1 (or whatever the pre-release tag was).

This is definitely a bug, if you're on stable we should not try to bump you to pre-release.

I haven't had time to track down the root cause yet.

jeffwidman commented 2 years ago

See also https://github.com/dependabot/dependabot-core/issues/4643, we should probably use both the dockerfile names from that issue and from this issue in the eventual PR tests since that one has a suffix and this one doesn't.

deivid-rodriguez commented 1 year ago

I haven't yet tested anything, just checked the relevant code, but I think the issue is this method is incorrect:

https://github.com/dependabot/dependabot-core/blob/252cb9a123e82391995797fdac45cb8b6f49cbe7/docker/lib/dependabot/docker/update_checker.rb#L303-L313

The numeric_version_from(tag) method extracts only the major version segment, for example, "3" from "3.11.0a4-slim". That's never going to get identified as a prerelease (for example, the check of whether it has letters will always fail). That means prereleases are never filtered out and we get update PRs.

Instead, the method should use the full version to identify prereleases, for example, "3.11.0a4" from "3.11.0a4-slim".

I can work on this in a couple of weeks!

deivid-rodriguez commented 1 year ago

I verified that this is now working as expected, and we have tests to check precisely for this, so I think this must've been fixed by some recent change.

If you run into this though, please reopen and we'll have a look!

Shubham82 commented 1 month ago

Hi @deivid-rodriguez, @jeffwidman we encountered a similar issue in VPA (k8s/autoscaler), where Depandabot upgraded the Golang version of VPA components to 1.23rc1. which is not recommended I'm wondering if it is a bug in Depandabot or if it happened due to regression. Here are the corresponding PRs in which Depandabot upgrade golang version to 1.23rc1: https://github.com/kubernetes/autoscaler/pull/7000 https://github.com/kubernetes/autoscaler/pull/7001 https://github.com/kubernetes/autoscaler/pull/7002

We also opened a PR to resolve this issue, in which we configured the ignore option in depandabot.yaml so that Depandadabot ignores Golang RC versions.

Any help would be appreciated!

could you please reopen this issue?

Shubham82 commented 1 month ago

I'm wondering if it is a bug in Depandabot or if it happened due to regression.

Hi @deivid-rodriguez, could you please take a look? why did it happen?

deivid-rodriguez commented 1 month ago

Sorry, I no longer maintain this repo. I recommend you investigate the problem yourself by following the instructions in the README!

Shubham82 commented 1 month ago

Thanks, @deivid-rodriguez, Actually I'm a newbie to the dependabot/dependabot-core repository, It would be great if someone from the maintainer would take a look at this.

cc @jeffwidman @abdulapopoola @jurre

kojiromike commented 1 month ago

This also happens for Python containers. We just had

build(deps): bump python from 3.12.4-slim-bullseye to 3.13.0rc1-slim-bullseye opened across a slew of repos today.

atc0005 commented 1 month ago

Seeing this again across many of the repos I manage.

Example (from today) below.

This PR was closed (marked as superseded):

https://github.com/atc0005/check-restart/pull/391

This PR was opened:

https://github.com/atc0005/check-restart/pull/398

This is even with the ignore constraint applied (https://github.com/atc0005/check-restart/blob/707196886077df8f4ba6a34578479899b93976f5/.github/dependabot.yml#L112-L116):

    ignore:
      - dependency-name: "golang"
        versions:
          - ">= 1.22"
          - "< 1.21"

dependabot / dependabot-core

Golang Docker containers updated to a non-stable version. 1.17.7 to 1.18rc1 #4798