dependabot fails because it cannot find a VCS for a transitive dependency (istio.io/api)

[ialidzhikov]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

gomod

Package manager version

v1

Language version

golang 1.19

Manifest location and content before the Dependabot update

No response

dependabot.yml content

https://github.com/gardener/gardener-extension-os-gardenlinux/blob/master/.github/dependabot.yaml:

version: 2
updates:
- package-ecosystem: gomod
  directory: /
  schedule:
    interval: daily
  open-pull-requests-limit: 5
  allow:
  - dependency-name: "github.com/gardener/gardener"
  labels:
  - kind/enhancement

Updated dependency

No response

What you expected to see, versus what you actually saw

I see:

Dependabot can't resolve your Go dependency files
Dependabot failed to update your dependencies because there was an error resolving your Go dependency files.

Dependabot encountered the following error:

Cannot detect VCS for istio.io/api. Attempted to detect VCS because the version looks like a git revision: v0.0.0-20221013011440-bc935762d2b9

Update logs:

  proxy | time="2023-03-22T09:30:24Z" level=info msg="proxy starting" commit=74815838778449a9a4744ea95c8ffd345ea5bff4
  proxy | 2023/03/22 09:30:24 Listening (:1080)
updater | 2023-03-22T09:30:25.694590782 [631049029:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-03-22T09:30:27Z" level=info msg="guest starting" commit=e4d75e3df9f05999ca5be48d7ea098b83d995771
updater | time="2023-03-22T09:30:27Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=631049029 updater_timeout=45m0s updater_version=9b526b7214f5b03a6d9378efb03b1cc55d258762-gomod
updater | 2023/03/22 09:30:29 INFO Raven 3.1.2 ready to catch errors
updater | 2023/03/22 09:30:30 INFO <job_631049029> Starting job processing
  proxy | 2023/03/22 09:30:31 [002] GET https://github.com:443/gardener/gardener-extension-os-gardenlinux/info/refs?service=git-upload-pack
  proxy | 2023/03/22 09:30:31 [002] * authenticating git server request (host: github.com)
  proxy | 2023/03/22 09:30:31 [002] 200 https://github.com:443/gardener/gardener-extension-os-gardenlinux/info/refs?service=git-upload-pack
  proxy | 2023/03/22 09:30:31 [004] POST https://github.com:443/gardener/gardener-extension-os-gardenlinux/git-upload-pack
  proxy | 2023/03/22 09:30:31 [004] * authenticating git server request (host: github.com)
  proxy | 2023/03/22 09:30:31 [004] 200 https://github.com:443/gardener/gardener-extension-os-gardenlinux/git-upload-pack
  proxy | 2023/03/22 09:30:31 [006] POST https://github.com:443/gardener/gardener-extension-os-gardenlinux/git-upload-pack
  proxy | 2023/03/22 09:30:31 [006] * authenticating git server request (host: github.com)
  proxy | 2023/03/22 09:30:31 [006] 200 https://github.com:443/gardener/gardener-extension-os-gardenlinux/git-upload-pack
updater | 2023/03/22 09:30:34 INFO <job_631049029> Finished job processing
updater | time="2023-03-22T09:30:34Z" level=info msg="task complete" container_id=job-631049029-file-fetcher exit_code=0 job_id=631049029 step=fetcher
updater | 2023/03/22 09:30:36 INFO Raven 3.1.2 ready to catch errors
updater | 2023/03/22 09:30:37 INFO <job_631049029> Starting job processing
updater | 2023/03/22 09:30:37 INFO <job_631049029> Starting update job for gardener/gardener-extension-os-gardenlinux
updater | 2023/03/22 09:30:37 INFO <job_631049029> Checking all dependencies for version updates...
  proxy | 2023/03/22 09:30:37 [010] GET https://google.golang.org:443/genproto?go-get=1
  proxy | 2023/03/22 09:30:37 [010] 200 https://google.golang.org:443/genproto?go-get=1
  proxy | 2023/03/22 09:30:37 [012] GET https://istio.io:443/api?go-get=1
  proxy | 2023/03/22 09:30:37 [012] 404 https://istio.io:443/api?go-get=1
updater | 2023/03/22 09:30:37 INFO <job_631049029> Finished job processing
updater | 2023/03/22 09:30:37 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +--------------------------------+
updater | |             Errors             |
updater | +--------------------------------+
updater | | dependency_file_not_resolvable |
updater | +--------------------------------+
updater | time="2023-03-22T09:30:37Z" level=info msg="task complete" container_id=job-631049029-updater exit_code=0 job_id=631049029 step=updater

The istio.io/api dependency does not have its tags prefixed with v - see istio/api#2178. That's why we have the indirect dependency:

	istio.io/api v0.0.0-20221013011440-bc935762d2b9 // indirect

in our go.mod.

Native package manager behavior

The go does works perfectly fine with the current go.mo. See https://github.com/gardener/gardener-extension-os-gardenlinux.

Images of the diff or a link to the PR, issue, or logs

I already shared logs above.

Smallest manifest that reproduces the issue

No response

[jeffwidman]

I suspect the root cause is:

• Use core go lib/tooling for identify package metadata URLs instead of the Masterminds/VCS fork #6938

If we flipped to using upstream native tooling instead of a sorta-fork of upstream I expect this would start working.

[jakecoffman]

I think @jeffwidman is right. Job 631049029 ran at 2023-03-22 09:30:24 UTC, before this change landed: #6723

So at the time, the code would have called https://istio.io:443/api?go-get=1 early in the update process, which 404'd and failed the job.

That server is no longer 404ing, but thanks to #6723, we no longer gather that metadata early in the update process. It only gets called during metadata finding, which if it fails the PR will still be created, just with less informative content.

No matter which method we use to gather the metadata, if the remote server returns a 404 there's not much we can do about it, but now at least the jobs should not fail.

I can see jobs are now succeeding on that repo, so I'll close this issue out. Thanks for reporting this!