Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should ignore publishing registries repositories #17067

Closed
JohNan opened this issue Aug 9, 2022 · 7 comments · Fixed by #18998
Closed

Should ignore publishing registries repositories #17067

JohNan opened this issue Aug 9, 2022 · 7 comments · Fixed by #18998
Assignees
@zharinov
Labels
manager:gradle Gradle package manager priority-2-high Bugs impacting wide number of users or very important features type:bug Bug fix of existing functionality

Comments

@JohNan
Copy link

JohNan commented Aug 9, 2022

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us what version of Renovate you run.

No response

Please select which platform you are using if self-hosting.

No response

If you're self-hosting Renovate, tell us what version of the platform you run.

No response

Was this something which used to work for you, and then stopped?

I never saw this working

Describe the bug

The bot uses registry urls from publishing config when trying to find updated dependencies. This is a config that is only used when publishing artifacts and is not supposed to be used when resolving dependencies.

An example of a config can look like this in a gradle file eg. build.gradle.kts

publishing {
    repositories {
        maven {
            uri("https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/")
            credentials {
                username = "USERNAME"
                password = "PASSWORD"
            }
        }
    }
}

Example repository: https://github.com/JohNan/renovatebot-bugreport

Relevant debug logs

Logs 
DEBUG: Looking up org.jetbrains.kotlin.jvm:org.jetbrains.kotlin.jvm.gradle.plugin in repository https://repo.maven.apache.org/maven2/
DEBUG: Found 6 new releases for org.jetbrains.kotlin.jvm:org.jetbrains.kotlin.jvm.gradle.plugin in repository https://repo.maven.apache.org/maven2/
DEBUG: Looking up org.jetbrains.kotlin.jvm:org.jetbrains.kotlin.jvm.gradle.plugin in repository https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/
DEBUG: Dependency lookup unauthorized. Please add authentication with a hostRule
{
  "failedUrl": "https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/org/jetbrains/kotlin/jvm/org.jetbrains.kotlin.jvm.gradle.plugin/maven-metadata.xml"
}
DEBUG: Content is not found for Maven url
{
  "url": "https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/org/jetbrains/kotlin/jvm/org.jetbrains.kotlin.jvm.gradle.plugin/maven-metadata.xml"
}

Have you created a minimal reproduction repository?

I have linked to a minimal reproduction repository in the bug description
@JohNan JohNan added priority-5-triage status:requirements Full requirements are not yet known, so implementation should not be started type:bug Bug fix of existing functionality labels Aug 9, 2022
@rarkins rarkins added priority-2-high Bugs impacting wide number of users or very important features manager:maven Maven (Java) package manager status:ready and removed priority-5-triage status:requirements Full requirements are not yet known, so implementation should not be started labels Aug 9, 2022
@PhilipAbed
Copy link
Collaborator

PhilipAbed commented Aug 9, 2022
edited

reproduced, we are parsing it as part of our registry urls

   "registryUrls": [
                   "https://repo.maven.apache.org/maven2",
                   "https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/",
                   "https://plugins.gradle.org/m2/"
                 ],

@rarkins
Copy link
Collaborator

rarkins commented Aug 9, 2022

Forked to https://github.com/renovate-reproductions/17067

Does it look like a quick fix, or needs some of our parsing rewritten?

@PhilipAbed
Copy link
Collaborator

we use tokenizer , i have no idea, the code is here i suppose:

renovate/lib/modules/manager/gradle/parser.ts

Lines 281 to 313 in e4dbd4a

function processCustomRegistryUrl({
tokenMap,
variables,
}: SyntaxHandlerInput): SyntaxHandlerOutput {
let localVariables = variables;
if (tokenMap.keyToken?.value === 'name') {
localVariables = {
...variables,
name: {
key: 'name',
value: tokenMap.valToken.value,
},
};
}
let registryUrl: string | null = tokenMap.registryUrl?.value;
if (tokenMap.registryUrl?.type === TokenType.StringInterpolation) {
const token = tokenMap.registryUrl as StringInterpolation;
registryUrl = interpolateString(token.children, localVariables);
}
try {
if (registryUrl) {
registryUrl = registryUrl.replace(regEx(/\\/g), '');
const { host, protocol } = url.parse(registryUrl);
if (host && protocol) {
return { urls: [registryUrl] };
}
}
} catch (e) {
// no-op
}
return null;

@rarkins
Copy link
Collaborator

rarkins commented Aug 9, 2022

@zharinov do you recall if it's just checking for repositories.maven at any level and that's why it swallows publishing.repositories.maven?

@PhilipAbed
Copy link
Collaborator

PhilipAbed commented Aug 14, 2022
edited

the tokenizer is matching specific keywords for multiple cases,
check out the parser
looking at all cases of processCustomRegistryUrl

  1. maven("https://repository.mycompany.com/m2/repository")
  2. maven { name = "baz"; url = "https://maven.springframework.org/${name}" }
  3. maven { url = "https://maven.springframework.org/release"
  4. maven { url = uri("https://maven.springframework.org/release")
  5. maven { url "https://maven.springframework.org/release"
  6. url 'https://repo.spring.io/snapshot/'
  7. url('https://repo.spring.io/snapshot/')

the customer input is:

publishing {
    repositories {
        maven {
            uri("https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/")
            credentials {
                username = "USERNAME"
                password = "PASSWORD"
            }
        }
    }
}

in code, only case 7 could have caught this.

here it is:

renovate/lib/modules/manager/gradle/parser.ts

Lines 719 to 730 in ca15793

// url('https://repo.spring.io/snapshot/')
matchers: [
{ matchType: TokenType.Word, matchValue: ['uri', 'url'] },
{ matchType: TokenType.LeftParen },
{
matchType: [TokenType.String, TokenType.StringInterpolation],
tokenMapKey: 'registryUrl',
},
{ matchType: TokenType.RightParen },
endOfInstruction,
],
handler: processCustomRegistryUrl,

@rarkins rarkins assigned zharinov and unassigned PhilipAbed Aug 14, 2022
@rarkins
Copy link
Collaborator

rarkins commented Aug 14, 2022

@PhilipAbed thanks for the analysis. Let's hand over to @zharinov

@Churro Churro added manager:gradle Gradle package manager and removed manager:maven Maven (Java) package manager labels Oct 16, 2022
@Churro Churro mentioned this issue Oct 23, 2022
Closed
6 tasks
@Churro Churro mentioned this issue Nov 20, 2022
Merged
6 tasks
@renovate-release
Copy link
Collaborator

🎉 This issue has been resolved in version 34.32.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 25, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zharinov zharinov

Labels
manager:gradle Gradle package manager priority-2-high Bugs impacting wide number of users or very important features type:bug Bug fix of existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(manager/gradle): ignore "publishing" repositories Churro/renovate
6 participants
@Churro @JohNan @zharinov @rarkins @PhilipAbed @renovate-release