Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go and dependabot thinks there is a v1.0.0 tag for pkg/apis #549

Open
chrischdi opened this issue Apr 16, 2024 · 1 comment
Open

Go and dependabot thinks there is a v1.0.0 tag for pkg/apis #549

chrischdi opened this issue Apr 16, 2024 · 1 comment

Comments

@chrischdi
Copy link
Member

Dependabot opened a bump PR for:

I wanted to take a look at the diff and realised the repo does not have a v1.0.0 tag or pkg/apis/v1.0.0.

Taking a look at how go resolves this:

for v1.0.0:

❯ go mod download -json github.com/vmware-tanzu/nsx-operator/pkg/[email protected]
{
        "Path": "github.com/vmware-tanzu/nsx-operator/pkg/apis",
        "Version": "v1.0.0",
        "Info": "/Users/schlotterc/go/pkg/mod/cache/download/github.com/vmware-tanzu/nsx-operator/pkg/apis/@v/v1.0.0.info",
        "GoMod": "/Users/schlotterc/go/pkg/mod/cache/download/github.com/vmware-tanzu/nsx-operator/pkg/apis/@v/v1.0.0.mod",
        "Zip": "/Users/schlotterc/go/pkg/mod/cache/download/github.com/vmware-tanzu/nsx-operator/pkg/apis/@v/v1.0.0.zip",
        "Dir": "/Users/schlotterc/go/pkg/mod/github.com/vmware-tanzu/nsx-operator/pkg/[email protected]",
        "Sum": "h1:jmHI88hySjGqkpc/QUmSY5G5SsDvoXxmKFEK/GmcHWs=",
        "GoModSum": "h1:ZR/7rewflpAhnswQ6NVkFN0JmaqHgmvDyFVsJLmZ+pw=",
        "Origin": {
                "VCS": "git",
                "URL": "https://github.com/vmware-tanzu/nsx-operator",
                "Subdir": "pkg/apis",
                "Hash": "553261d24be7d22d76251fae0cd85bb51be9bb9d",
                "Ref": "refs/tags/pkg/apis/v1.0.0"
        }
}

for v0.1.0

❯ go mod download -json github.com/vmware-tanzu/nsx-operator/pkg/[email protected]
{
        "Path": "github.com/vmware-tanzu/nsx-operator/pkg/apis",
        "Version": "v0.1.0",
        "Info": "/Users/schlotterc/go/pkg/mod/cache/download/github.com/vmware-tanzu/nsx-operator/pkg/apis/@v/v0.1.0.info",
        "GoMod": "/Users/schlotterc/go/pkg/mod/cache/download/github.com/vmware-tanzu/nsx-operator/pkg/apis/@v/v0.1.0.mod",
        "Zip": "/Users/schlotterc/go/pkg/mod/cache/download/github.com/vmware-tanzu/nsx-operator/pkg/apis/@v/v0.1.0.zip",
        "Dir": "/Users/schlotterc/go/pkg/mod/github.com/vmware-tanzu/nsx-operator/pkg/[email protected]",
        "Sum": "h1:HdnQb/X9vJ8a5WQ03g/0nDr9igIIK1fF6wO5wOtkJT4=",
        "GoModSum": "h1:Q4JzNkNMvjo7pXtlB5/R3oME4Nhah7fAObWgghVmtxk=",
        "Origin": {
                "VCS": "git",
                "URL": "https://github.com/vmware-tanzu/nsx-operator",
                "Subdir": "pkg/apis",
                "Hash": "1269a61ff22c969923f260553d7961803e53f63e",
                "Ref": "refs/tags/pkg/apis/v0.1.0"
        }
}

If we now take a look at the Hash, which is the commit hash referenced:

  • v1.0.0: 553261d24be7d22d76251fae0cd85bb51be9bb9d:

    ❯ git show 553261d24be7d22d76251fae0cd85bb51be9bb9d
commit 553261d24be7d22d76251fae0cd85bb51be9bb9d
Merge: 1ef2441 1d51c28
Author: zhengxiexie <[email protected]>
Date:   Mon Oct 30 13:13:15 2023 +0800

    Merge pull request #288 from zhengxiexie/codegen_alpha2_vpc_dev

    Support codegen for v1alpha2

  • v0.1.0: 1269a61ff22c969923f260553d7961803e53f63e

    ❯ git show 1269a61ff22c969923f260553d7961803e53f63e
commit 1269a61ff22c969923f260553d7961803e53f63e (tag: pkg/apis/v0.1.0)
Author: XiaoPei Liu <[email protected]>
Date:   Fri Dec 22 10:02:17 2023 +0800

Change pkg/apis and pkg/client in go.mod

In go.mod, change to use local pkg/apis and pkg/client.

We can see v1.0.0 is actually older. Also that commit only exists on the vpc_dev branch, not on main.

I wanted to know where this came from, if there maybe was a push of a v1.0.0 tag by accident?
@sbueringer
Copy link

Please note, there is a realistic danger of folks downgrading by bumping to the v1.0.0 tag. We almost did it in CAPV.

@sbueringer sbueringer mentioned this issue May 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chrischdi @sbueringer