Bump github.com/go-git/go-git/v5 from 5.12.0 to 5.14.0

[dependabot]

Bumps github.com/go-git/go-git/v5 from 5.12.0 to 5.14.0.

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.14.0

What's Changed

• v5: Bump Go and dependencies to mitigate GO-2025-3487 by @​pjbgf in go-git/go-git#1436

⚠️ Note that this version requires Go 1.23, due to the bump to golang.org/x/[email protected] which mitigates the CVE above. User's that can't bump to Go 1.23 will need to remain on the previous v5.13.x release.

Full Changelog: go-git/go-git@v5.13.2...v5.14.0

v5.13.2

What's Changed

• plumbing: use the correct user agent string. Fixes #883 by @​uragirii in go-git/go-git#1364
• build: bump golang.org/x/sys from 0.28.0 to 0.29.0 in the golang-org group by @​dependabot in go-git/go-git#1365
• build: bump the golang-org group with 2 updates by @​dependabot in go-git/go-git#1367
• build: bump github.com/ProtonMail/go-crypto from 1.1.3 to 1.1.4 by @​dependabot in go-git/go-git#1368
• build: bump github.com/go-git/go-billy/v5 from 5.6.1 to 5.6.2 by @​dependabot in go-git/go-git#1378
• build: bump github/codeql-action from 3.28.0 to 3.28.1 by @​dependabot in go-git/go-git#1376
• build: bump github.com/elazarl/goproxy from 1.2.3 to 1.4.0 by @​dependabot in go-git/go-git#1377
• git: worktree, fix restoring dot slash files (backported to v5). Fixes #1176 by @​BeChris in go-git/go-git#1361
• build: bump github.com/pjbgf/sha1cd from 0.3.0 to 0.3.2 by @​dependabot in go-git/go-git#1392
• git: worktree_status, fix adding dot slash files to working tree (backported to v5). Fixes #1150 by @​BeChris in go-git/go-git#1359
• build: bump github.com/ProtonMail/go-crypto from 1.1.4 to 1.1.5 by @​dependabot in go-git/go-git#1383

Full Changelog: go-git/go-git@v5.13.1...v5.13.2

v5.13.1

What's Changed

• build: bump github.com/go-git/go-billy/v5 from 5.6.0 to 5.6.1 by @​dependabot in go-git/go-git#1327
• build: bump github.com/elazarl/goproxy from 1.2.1 to 1.2.2 by @​dependabot in go-git/go-git#1329
• build: bump github.com/elazarl/goproxy from 1.2.2 to 1.2.3 by @​dependabot in go-git/go-git#1340
• Revert "plumbing: transport/ssh, Add support for SSH @​cert-authority." by @​pjbgf in #1346

Full Changelog: go-git/go-git@v5.13.0...v5.13.1

v5.13.0

What's Changed

• build: bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 in /cli/go-git by @​dependabot in go-git/go-git#1065
• build: bump golang.org/x/net from 0.22.0 to 0.23.0 by @​dependabot in go-git/go-git#1068
• build: bump golang.org/x/net from 0.23.0 to 0.24.0 by @​dependabot in go-git/go-git#1071
• Properly support skipping of non-mandatory extensions by @​codablock in go-git/go-git#1066
• git: Refine some codes in test and non-test. by @​onee-only in go-git/go-git#1077
• plumbing: protocol/packp, client-side filter capability support by @​edigaryev in go-git/go-git#1000
• build: bump golang.org/x/net from 0.22.0 to 0.23.0 in /cli/go-git by @​dependabot in go-git/go-git#1078
• plumbing: fix sideband demux on flush by @​aymanbagabas in go-git/go-git#1084
• storage: dotgit, head reference usually comes first by @​aymanbagabas in go-git/go-git#1085
• build: bump golang.org/x/text from 0.14.0 to 0.15.0 by @​dependabot in go-git/go-git#1091
• build: bump golang.org/x/crypto from 0.22.0 to 0.23.0 by @​dependabot in go-git/go-git#1094
• build: bump golang.org/x/net from 0.24.0 to 0.25.0 by @​dependabot in go-git/go-git#1093
• git: Added an example for Repository.Branches by @​johnmatthiggins in go-git/go-git#1088
• git: worktree_commit, Modify checking empty commit. Fixes #723 by @​onee-only in go-git/go-git#1050

... (truncated)

Commits

• 863c621 Merge pull request #1436 from pjbgf/v5-bumps
• 2e69e81 build: Bump dependencies
• b2c1ec9 build: Bump Go versions
• 2c68247 Merge pull request #1383 from go-git/dependabot/go_modules/github.com/ProtonM...
• d462c2e Merge pull request #1359 from BeChris/issue1150-v5
• 32ac23a Merge pull request #1392 from go-git/dependabot/go_modules/github.com/pjbgf/s...
• 93e635a build: bump github.com/pjbgf/sha1cd from 0.3.0 to 0.3.2
• b2bb975 git: worktree_status, took into account code review remarks
• 518ac88 git: worktree_status, fix adding dot slash files to working tree (backported ...
• 21b3150 build: bump github.com/ProtonMail/go-crypto from 1.1.4 to 1.1.5
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[per1234]

See the review on the previous bump PR:

#292 (comment)

I verified that the blocker bug mentioned there is still present in github.com/go-git/go-git/[email protected].

[per1234]

I made the following statement made in the previous review:

I verified that the blocker bug mentioned there is still present in github.com/go-git/go-git/[email protected]

It is true that the bug (go-git/go-git#1411) is still present. However, after further investigation I discovered that the original determination that go-git/go-git#1411 is a blocker for bumping github.com/go-git/go-git/v5 in libraries-repository-engine was erroneous.

Summary

It turns out that go-git/go-git#1411 is not effectively a regression for libraries-repository-engine. The reason is that the conditions under which go-git/go-git#1411 occurs would cause libraries-repository-engine to fault even without the bump.

Explanation

The conditions under which go-git/go-git#1411 occurs are:

• The repository contains a file with executable permissions.
• The the github.com/go-git/go-git/v5.Worktree.Checkout method is called.
• The application is running on a Windows machine.

After bumping the github.com/go-git/go-git/v5 dependency to v5.14.0 (or v5.13.2), a call to the github.com/arduino/libraries-repository-engine/internal/libraries/gitutils.CheckoutTag function will return an error under these conditions, here:

libraries-repository-engine/internal/libraries/gitutils/gitutils.go

Lines 174 to 176 in ec0ec0c

	if err = repoTree.Checkout(&git.CheckoutOptions{Hash: *resolvedTag, Force: true}); err != nil {
	return err
	}

However, the function will return an error under these conditions even with a version of github.com/go-git/go-git/v5 <v5.13.2. This is due to a separate bug in handling of these conditions: go-git/go-git#771. With the previous versions of github.com/go-git/go-git/v5, github.com/go-git/go-git/v5.Worktree.Checkout will not return an error, but github.com/go-git/go-git/v5.Status.IsClean returns false, this causes github.com/arduino/libraries-repository-engine/internal/libraries/gitutils.cleanRepository to return false:

libraries-repository-engine/internal/libraries/gitutils/gitutils.go

Line 221 in ec0ec0c

return repoStatus.IsClean(), nil

which in turn causes github.com/arduino/libraries-repository-engine/internal/libraries/gitutils.CheckoutTag to return an error:

libraries-repository-engine/internal/libraries/gitutils/gitutils.go

Lines 178 to 190 in ec0ec0c

	// Ensure the repository is checked out to a clean state.
	// Because it might not succeed on the first attempt, a retry is allowed.
	for range [2]int{} {
	clean, err := cleanRepository(repoTree)
	if err != nil {
	return err
	}
	if clean {
	return nil
	}
	}
	return fmt.Errorf("failed to get repository to clean state")

Conclusion

Since the bump does not cause an effective regression in libraries-repository-engine, there is no reason to refrain from accepting it.

Although ideally libraries-repository-engine would operate correctly under these conditions, the inability of the application to do so is not a critical defect. The reason is that the bug is specific to the Windows filesystem (which does not have the concept of executable file permissions) and the production usage of the application is exclusively on a Linux machine. So the defect could only impact contributors using a Windows machine to perform freestyle testing (the project's formal test suite does not provide coverage for these conditions).