From 81ea7436c37610d9e3fd83d2bb5101e2e6f574fa Mon Sep 17 00:00:00 2001 From: Tim Lee Date: Mon, 20 Apr 2026 09:30:55 -0600 Subject: [PATCH] Fix OSV sync shallow clone failing on quiet weekends (#43450) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary The nightly OSV artifact generation in `fleetdm/vulnerabilities` failed over the weekend with: ``` fatal: error processing shallow info: 4 ``` at `cmd/osv-processor/sync-and-detect-changes.sh` during: ```bash git fetch --shallow-since="3 days ago" origin main ``` Root cause: `git fetch --shallow-since` errors out when the upstream (`canonical/ubuntu-security-notices`) has zero commits newer than the cutoff. Canonical didn't push anything over the weekend, so the 3-day window returned empty and upload-pack produced an unusable shallow response. Fix: - Fall back to `git fetch --depth=3` if `--shallow-since` still returns empty, so the initial clone always succeeds. Subsequent runs reuse the existing clone and take the other branch of the script (plain `git fetch origin main`), which doesn't have this failure mode. Failing run: https://github.com/fleetdm/vulnerabilities/actions/runs/24330589309/job/71035337352 ## Test plan - [x] Re-run the Ubuntu OSV artifact generation workflow; initial clone succeeds regardless of upstream push frequency. - [x] Manually exercise the cold-cache path locally: `rm -rf ubuntu-security-notices && ./cmd/osv-processor/sync-and-detect-changes.sh` — completes without error. ## Summary by CodeRabbit * **Bug Fixes** * Improved initial repository sync: if the primary shallow fetch returns no commits, the process now falls back to a limited-depth fetch, warns the user, and shows recent commit history before continuing. Downstream change detection and existing behavior for already-cloned repos remain unchanged. --------- Co-authored-by: Konstantin Sykulev --- cmd/osv-processor/sync-and-detect-changes.sh | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/cmd/osv-processor/sync-and-detect-changes.sh b/cmd/osv-processor/sync-and-detect-changes.sh index b6854a3a20..1159512c92 100755 --- a/cmd/osv-processor/sync-and-detect-changes.sh +++ b/cmd/osv-processor/sync-and-detect-changes.sh @@ -16,6 +16,10 @@ set -euo pipefail REPO_URL="https://github.com/canonical/ubuntu-security-notices.git" REPO_DIR="ubuntu-security-notices" DAYS_TO_KEEP=3 # how much git history to get for initial clone +# Fallback depth used when --shallow-since returns no commits (upstream was quiet). +# The sync only needs the tip commit to populate the working tree. +# We grab a few extra commits so the warning log shows recent upstream activity for debugging. +FALLBACK_DEPTH=3 echo "=== OSV Repository Sync ===" echo "" @@ -57,7 +61,17 @@ else git config core.sparseCheckout true echo "osv/" > .git/info/sparse-checkout - git fetch --shallow-since="${DAYS_TO_KEEP} days ago" origin main + if ! git fetch --shallow-since="${DAYS_TO_KEEP} days ago" origin main; then + echo "" + echo "WARNING: --shallow-since=${DAYS_TO_KEEP}d returned no commits." + echo "Upstream has been quiet for >${DAYS_TO_KEEP} days. Falling back to --depth=${FALLBACK_DEPTH}." + echo "" + git fetch --depth="${FALLBACK_DEPTH}" origin main + echo "Recent history:" + git log --pretty=format:'%h %ci %s' origin/main + echo "" + echo "" + fi git checkout -b main --track origin/main COMMIT_SHA=$(git rev-parse HEAD)