Merge pull request #6259 from tonistiigi/git-tag-mutation-fix

tonistiigi · web-flow · commit 31c7091161f0 · 2025-10-08T13:27:28.000-07:00
git: handle tag changes in upstream
diff --git a/source/git/source.go b/source/git/source.go
@@ -105,24 +105,30 @@ func (gs *gitSource) Identifier(scheme, ref string, attrs map[string]string, pla
 }
 
 // needs to be called with repo lock
-func (gs *gitSource) mountRemote(ctx context.Context, remote string, authArgs []string, sha256 bool, g session.Group) (target string, release func() error, retErr error) {
+func (gs *gitSource) mountRemote(ctx context.Context, remote string, authArgs []string, sha256 bool, reset bool, g session.Group) (target string, release func() error, retErr error) {
 	sis, err := searchGitRemote(ctx, gs.cache, remote)
 	if err != nil {
 		return "", nil, errors.Wrapf(err, "failed to search metadata for %s", urlutil.RedactCredentials(remote))
 	}
 
 	var remoteRef cache.MutableRef
 	for _, si := range sis {
-		remoteRef, err = gs.cache.GetMutable(ctx, si.ID())
-		if err != nil {
-			if errors.Is(err, cache.ErrLocked) {
-				// should never really happen as no other function should access this metadata, but lets be graceful
-				bklog.G(ctx).Warnf("mutable ref for %s  %s was locked: %v", urlutil.RedactCredentials(remote), si.ID(), err)
-				continue
+		if reset {
+			if err := si.clearGitRemote(); err != nil {
+				bklog.G(ctx).Warnf("failed to clear git remote metadata for %s %s: %v", urlutil.RedactCredentials(remote), si.ID(), err)
+			}
+		} else {
+			remoteRef, err = gs.cache.GetMutable(ctx, si.ID())
+			if err != nil {
+				if errors.Is(err, cache.ErrLocked) {
+					// should never really happen as no other function should access this metadata, but lets be graceful
+					bklog.G(ctx).Warnf("mutable ref for %s  %s was locked: %v", urlutil.RedactCredentials(remote), si.ID(), err)
+					continue
+				}
+				return "", nil, errors.Wrapf(err, "failed to get mutable ref for %s", urlutil.RedactCredentials(remote))
 			}
-			return "", nil, errors.Wrapf(err, "failed to get mutable ref for %s", urlutil.RedactCredentials(remote))
+			break
 		}
-		break
 	}
 
 	initializeRepo := false
@@ -464,7 +470,7 @@ func (gs *gitSourceHandler) CacheKey(ctx context.Context, g session.Group, index
 	return cacheKey, sha, nil, true, nil
 }
 
-func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out cache.ImmutableRef, retErr error) {
+func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (cache.ImmutableRef, error) {
 	cacheKey := gs.cacheKey
 	if cacheKey == "" {
 		var err error
@@ -491,13 +497,35 @@ func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out
 	gs.locker.Lock(gs.src.Remote)
 	defer gs.locker.Unlock(gs.src.Remote)
 
+	ref, err := gs.trySnapshot(ctx, g, false)
+	if err != nil {
+		var wce *wouldClobberExistingTagError
+		var ulre *unableToUpdateLocalRefError
+		if errors.As(err, &wce) || errors.As(err, &ulre) {
+			ref, err = gs.trySnapshot(ctx, g, true)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			return nil, err
+		}
+	}
+
+	md := cacheRefMetadata{ref}
+	if err := md.setGitSnapshot(snapshotKey); err != nil {
+		return nil, err
+	}
+	return ref, nil
+}
+
+func (gs *gitSourceHandler) trySnapshot(ctx context.Context, g session.Group, reset bool) (out cache.ImmutableRef, retErr error) {
 	git, cleanup, err := gs.emptyGitCli(ctx, g)
 	if err != nil {
 		return nil, err
 	}
 	defer cleanup()
 
-	gitDir, unmountGitDir, err := gs.mountRemote(ctx, gs.src.Remote, gs.authArgs, gs.sha256, g)
+	gitDir, unmountGitDir, err := gs.mountRemote(ctx, gs.src.Remote, gs.authArgs, gs.sha256, reset, g)
 	if err != nil {
 		return nil, err
 	}
@@ -547,7 +575,19 @@ func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out
 			args = append(args, "--force", ref+":"+targetRef)
 		}
 		if _, err := git.Run(ctx, args...); err != nil {
-			return nil, errors.Wrapf(err, "failed to fetch remote %s", urlutil.RedactCredentials(gs.src.Remote))
+			err := errors.Wrapf(err, "failed to fetch remote %s", urlutil.RedactCredentials(gs.src.Remote))
+			if strings.Contains(err.Error(), "rejected") && strings.Contains(err.Error(), "(would clobber existing tag)") {
+				// this can happen if a tag was mutated to another commit in remote.
+				// only hope is to abandon the existing shared repo and start a fresh one
+				return nil, &wouldClobberExistingTagError{err}
+			}
+			if strings.Contains(err.Error(), "(unable to update local ref)") && strings.Contains(err.Error(), "some local refs could not be updated;") {
+				// this can happen if a branch updated in remote so that old branch
+				// is now a parent dir of a new branch
+				return nil, &unableToUpdateLocalRefError{err}
+			}
+
+			return nil, err
 		}
 		_, err = git.Run(ctx, "reflog", "expire", "--all", "--expire=now")
 		if err != nil {
@@ -748,13 +788,25 @@ func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out
 		}
 	}()
 
-	md := cacheRefMetadata{snap}
-	if err := md.setGitSnapshot(snapshotKey); err != nil {
-		return nil, err
-	}
 	return snap, nil
 }
 
+type wouldClobberExistingTagError struct {
+	error
+}
+
+func (e *wouldClobberExistingTagError) Unwrap() error {
+	return e.error
+}
+
+type unableToUpdateLocalRefError struct {
+	error
+}
+
+func (e *unableToUpdateLocalRefError) Unwrap() error {
+	return e.error
+}
+
 func (gs *gitSourceHandler) emptyGitCli(ctx context.Context, g session.Group, opts ...gitutil.Option) (*gitutil.GitCLI, func() error, error) {
 	var cleanups []func() error
 	cleanup := func() error {
@@ -863,6 +915,10 @@ func (md cacheRefMetadata) setGitRemote(key string) error {
 	return md.SetString(keyGitRemote, key, gitRemoteIndex+key)
 }
 
+func (md cacheRefMetadata) clearGitRemote() error {
+	return md.ClearValueAndIndex(keyGitRemote, gitRemoteIndex)
+}
+
 func gitCLI(opts ...gitutil.Option) *gitutil.GitCLI {
 	opts = append([]gitutil.Option{
 		gitutil.WithExec(runWithStandardUmask),
diff --git a/source/git/source_test.go b/source/git/source_test.go
@@ -831,6 +831,173 @@ func testFetchAnnotatedTagChecksums(t *testing.T, format string, keepGitDir bool
 	}
 }
 
+func TestFetchMutatedTagSHA1(t *testing.T) {
+	testFetchMutatedTag(t, "sha1", false)
+}
+
+func TestFetchMutatedTagKeepGitDirSHA1(t *testing.T) {
+	testFetchMutatedTag(t, "sha1", true)
+}
+
+func TestFetchMutatedTagSHA256(t *testing.T) {
+	testFetchMutatedTag(t, "sha256", false)
+}
+
+func TestFetchMutatedTagKeepGitDirSHA256(t *testing.T) {
+	testFetchMutatedTag(t, "sha256", true)
+}
+
+func testFetchMutatedTag(t *testing.T, format string, keepGitDir bool) {
+	ctx := t.Context()
+	if runtime.GOOS == "windows" {
+		t.Skip("Depends on unimplemented containerd bind-mount support on Windows")
+	}
+	repo := setupGitRepo(t, format)
+	cmd := exec.Command("git", "rev-parse", "v1.2.3")
+	cmd.Dir = repo.mainPath
+
+	out, err := cmd.Output()
+	require.NoError(t, err)
+
+	expLen := 40
+	if format == "sha256" {
+		expLen = 64
+	}
+	shaTag := strings.TrimSpace(string(out))
+	require.Equal(t, expLen, len(shaTag))
+
+	id := &GitIdentifier{Remote: repo.mainURL, Ref: shaTag, KeepGitDir: keepGitDir}
+	gs := setupGitSource(t, t.TempDir())
+
+	g, err := gs.Resolve(ctx, id, nil, nil)
+	require.NoError(t, err)
+
+	key1, pin1, _, done, err := g.CacheKey(ctx, nil, 0)
+	require.NoError(t, err)
+	require.True(t, done)
+
+	ref, err := g.Snapshot(ctx, nil)
+	require.NoError(t, err)
+	ref.Release(context.TODO())
+
+	// mutate the tag to point to another commit
+	cmd = exec.Command("git", "tag", "-f", "v1.2.3", "feature")
+	cmd.Dir = repo.mainPath
+	out, err = cmd.CombinedOutput()
+	require.NoError(t, err, string(out))
+
+	// verify that the tag now points to a different commit
+	cmd = exec.Command("git", "rev-parse", "v1.2.3")
+	cmd.Dir = repo.mainPath
+
+	out, err = cmd.Output()
+	require.NoError(t, err)
+
+	shaTagMutated := strings.TrimSpace(string(out))
+	require.Equal(t, expLen, len(shaTagMutated))
+	require.NotEqual(t, shaTag, shaTagMutated)
+
+	id = &GitIdentifier{Remote: repo.mainURL, Ref: shaTagMutated, KeepGitDir: keepGitDir}
+
+	// fetching the original tag should still return the original commit because of caching
+	g, err = gs.Resolve(ctx, id, nil, nil)
+	require.NoError(t, err)
+
+	key2, pin2, _, done, err := g.CacheKey(ctx, nil, 0)
+	require.NoError(t, err)
+	require.True(t, done)
+
+	require.NotEqual(t, key1, key2)
+	require.NotEqual(t, pin1, pin2)
+
+	ref, err = g.Snapshot(ctx, nil)
+	require.NoError(t, err)
+	ref.Release(context.TODO())
+}
+
+func TestFetchMutatedBranchSHA1(t *testing.T) {
+	testFetchMutatedBranch(t, "sha1", false)
+}
+
+func TestFetchMutatedBranchKeepGitDirSHA1(t *testing.T) {
+	testFetchMutatedBranch(t, "sha1", true)
+}
+
+func TestFetchMutatedBranchSHA256(t *testing.T) {
+	testFetchMutatedBranch(t, "sha256", false)
+}
+
+func TestFetchMutatedBranchKeepGitDirSHA256(t *testing.T) {
+	testFetchMutatedBranch(t, "sha256", true)
+}
+
+// testFetchMutatedBranch tests that if a branch is mutated in a way that previous
+// ref becomes parent directory of new ref, causing collision to existing checkouts
+func testFetchMutatedBranch(t *testing.T, format string, keepGitDir bool) {
+	ctx := t.Context()
+	if runtime.GOOS == "windows" {
+		t.Skip("Depends on unimplemented containerd bind-mount support on Windows")
+	}
+	repo := setupGitRepo(t, format)
+	cmd := exec.Command("git", "rev-parse", "feature")
+	cmd.Dir = repo.mainPath
+
+	out, err := cmd.Output()
+	require.NoError(t, err)
+
+	expLen := 40
+	if format == "sha256" {
+		expLen = 64
+	}
+	shaBranch := strings.TrimSpace(string(out))
+	require.Equal(t, expLen, len(shaBranch))
+
+	id := &GitIdentifier{Remote: repo.mainURL, Ref: "feature", KeepGitDir: keepGitDir}
+	gs := setupGitSource(t, t.TempDir())
+
+	g, err := gs.Resolve(ctx, id, nil, nil)
+	require.NoError(t, err)
+
+	key1, pin1, _, done, err := g.CacheKey(ctx, nil, 0)
+	require.NoError(t, err)
+	require.True(t, done)
+
+	ref, err := g.Snapshot(ctx, nil)
+	require.NoError(t, err)
+	ref.Release(context.TODO())
+
+	// mutate the branch to point to become parent dir
+	cmd = exec.Command("git", "branch", "-D", "feature")
+	cmd.Dir = repo.mainPath
+	out, err = cmd.CombinedOutput()
+	require.NoError(t, err, string(out))
+
+	cmd = exec.Command("git", "branch", "feature/new", shaBranch)
+	cmd.Dir = repo.mainPath
+	out, err = cmd.CombinedOutput()
+	require.NoError(t, err, string(out))
+
+	id = &GitIdentifier{Remote: repo.mainURL, Ref: "feature/new", KeepGitDir: keepGitDir}
+
+	g, err = gs.Resolve(ctx, id, nil, nil)
+	require.NoError(t, err)
+
+	key2, pin2, _, done, err := g.CacheKey(ctx, nil, 0)
+	require.NoError(t, err)
+	require.True(t, done)
+
+	if keepGitDir {
+		require.NotEqual(t, key1, key2) // key contains new ref
+	} else {
+		require.Equal(t, key1, key2)
+	}
+	require.Equal(t, pin1, pin2)
+
+	ref, err = g.Snapshot(ctx, nil)
+	require.NoError(t, err)
+	ref.Release(context.TODO())
+}
+
 func TestMultipleTagAccessKeepGitDirSHA1(t *testing.T) {
 	testMultipleTagAccess(t, true, "sha1")
 }
