Fixes https://github.com/flathub/flatpak-external-data-checker/issues/249

I opted to add an optional property to mark sources as "important", is-important: true. If "important" sources are present in external data, only update the manifest if at least 1 important source received an update. This basically lets apps choose when they want PRs to open, e.g. many apps may only want a PR when at least their primary upstream app source is updated.

Manifests without important sources will not be affected by this change. f-e-d-c will continue making manifest updates as before for all modules. In other words, this does not change any existing behaviour.

There are some (I think comprehensive) tests for this feature in test_checker.py.

I also tested with an actual GitHub repo (forked EasyEffects which happens to have convenient action to use):

When is-critical-source is set for EasyEffects itself, but only libsigc++ has an update available

Doesn't make a PR/manifest update as shown by the logs as expected

When is-critical-source is set for both for EasyEffects and libsigc++, and libsigc++ has an update available

Makes PR as expected

Hi,

today the flathubbot opened a strange PR on org.gnome.Chess. PR is opened for dependency which doesn't have x-data-checker options set up and it just changed the hash without changing the URL. I looked at the URL and the file had last update in 2016.

I will close the PR for now, because the build is failing anyway.

I have the following check

        x-checker-data:
          type: pypi
          name: borgbackup
          versions: { "<": "1.2" }

and the report says

CHANGE SOON: borgbackup-1.1.16.tar.gz
 Has a new version:
  URL:       https://files.pythonhosted.org/packages/83/4a/95725c920aecb0fc00fb58604fe3c8e5c79a1f92a3b857a9c6ffacd312e6/borgbackup-1.2.0b2.tar.gz
  SHA256:    82b6100cb9db7113dd8c082ac9c9e1de7bd538eb9cb685c2cf499a34e1bac64d
  Size:      3940922
  Version:   1.2.0b2
  Timestamp: 2021-02-06 13:18:31.784134

I can work around this by using "<": "1.1.99" but maybe I will get a 1.1.x beta version with this? Any way to fix this?

PS: Also I could not find docs that say that versions is even supported for pypi.

Given PyPI package name and desired dist type (sdist or bdist_wheel), this checker finds latest available release. Fixes #74, see test manifest for usage example. I would appreciate a review from @nanonyme who is more familiar with PyPI and previously worked on something similar for BuildStream.

I am trying to use this in GitHub Actions, with the default GITHUB_TOKEN provided to the action. However, origin_repo.permissions.push is False. Some digging suggests that this may be an artefact of the kind of token being used here.[0] However, if we just go ahead and push and create the CR directly to the repo, it works fine.

So, add a --force-no-fork CLI parameter to override the repository permissions check, and a --force-fork parameter for symmetry. The default is still to check the repository permissions. (Of course if you --force-no-fork and you really don't have permission to push or create PRs, you'll hit an error a few lines later.)

[0] https://github.com/endlessm/eos-google-chrome-app/pull/96

Add a list of known-wrong Content-Type header patterns, and reject downloaded file if its Content-Type matches. The idea is to catch error pages returned by services without HTTP error status code, and avoid submitting them as "updates". Should fix #168, assuming that the infamous SourceForge page has C-T alike text/html.

Ideally, we should add C-T denylist for URLChecker, too, but just throwing it in will break our tests (httbin[go] returns text/html for its /base64/ URL). Given that it's most primarily targeted at SourceForge, and sources from there are unlikely to be extra-data, I consider the denylist for URLChecker not as important.

Previously, this script would exit(0) if some sources were out of date but we were able to open a PR to update them. We want this behaviour because the owner of whatever CI job runs the checker should not get a failure email if the script opens a PR: that's a success for the script! The script should only indicate failure if it is not able to carry out the task it was asked to perform (edit the source tree, open a PR, etc.).

f4cddf5d12579c39e1fac58f1730d5f553a4c58b changed this behaviour. Change it back. (I missed this while reviewing that!)

@andrunko noticed this behaviour after #145 merged because the job successfully opened a PR for our Chrome Flatpak but then the Jenkins job still failed.

I tried to use the data checker for org.gnome.Chess and got

Traceback (most recent call last):
  File "/home/zlopez/git/flatpak-external-data-checker/flatpak-external-data-checker", line 30, in <module>
    main()
  File "/home/zlopez/git/flatpak-external-data-checker/src/main.py", line 258, in main
    manifest_checker.check(filter_type)
  File "/home/zlopez/git/flatpak-external-data-checker/src/checker.py", line 196, in check
    checker.check(data)
  File "/home/zlopez/git/flatpak-external-data-checker/src/checkers/htmlchecker.py", line 81, in check
    latest_url = get_latest(external_data.checker_data, "url-pattern", html)
  File "/home/zlopez/git/flatpak-external-data-checker/src/checkers/htmlchecker.py", line 47, in get_latest
    f"{pattern_name} {pattern} does not contain exactly 1 match group"
ValueError: url-pattern re.compile('https://download.gnome.org/sources/gnome-chess/(d+.d+)/gnome-chess-(d+.d+.d+).tar.xz') does not contain exactly 1 match group

As I understand there is issue in url-pattern, because the url for gnome apps is https://download.gnome.org/sources/gnome-chess/3.36/gnome-chess-3.36.1.tar.xz, so the version is there twice, but one time without patch number and in the other with patch number. I'm not sure how to adjust the manifest to make it work. Could you give me some advice?

You can skip this intro/justification and jump to the example
Due to the fact that QtWebEngine releases are tagged much slower than the commits made to the respected qtwebengine-chromium branch, we build from the latest commit of the latter.
We have a QtWebEngine web browser packaged, qutebrowser, so we want to get the latest security fixes much faster.

Here's the example.

qtwebengine.json

{
    "name": "qt6-qtwebengine",
    "sources": [
        {
            "type": "git",
            "url": "https://invent.kde.org/qt/qt/qtwebengine.git",
            "tag": "v6.3.1",
            "commit": "b981601dedffaa21b474e3acf254e77a490c9173",
            "x-checker-data": {
                "is-main-source": true,
                "type": "json",
                "url": "https://invent.kde.org/api/v4/projects/qt%2Fqt%2Fqtwebengine/repository/tags",
                "tag-query": "first(.[].name | match( \"v6.3[\\\\d.]+-lts|v6.3[\\\\d.]+\" ) | .string)",
                "version-query": "$tag | sub(\"^v\"; \"\")",
                "timestamp-query": ".[] | select(.name==$tag) | .commit.created_at"
            },
            "disable-submodules": true
        },
        {
            "type": "git",
            "url": "https://invent.kde.org/qt/qt/qtwebengine-chromium.git",
            "branch": "94-based",
            "commit": "c643145a35e519c38f89bf1282ecc5c1fdb82ade",
            "dest": "src/3rdparty"
        }
    ]
}

Running f-e-d-c with in important updates mode:

$ flatpak-external-data-checker --edit-only --require-important-update qtwebengine.json

WARNING src.lib.externaldata: Source qtwebengine-chromium.git: remote data changed
INFO    src.manifest: Finished check [1/2] git qt6-qtwebengine/qtwebengine-chromium.git (from qtwebengine.json)
INFO    src.manifest: Finished check [2/2] git qt6-qtwebengine/qtwebengine.git (from qtwebengine.json)
BROKEN: qtwebengine-chromium.git
 Has a new version:
  URL:       https://invent.kde.org/qt/qt/qtwebengine-chromium.git
  Commit:    5f9753749b6c138c1d5bc390006396e9a65b19a1
  Tag:       None
  Branch:    94-based
  Version:   None
  Timestamp: None

INFO    src.manifest: No important source had an update, not updating manifest
INFO    src.main: Check finished with 0 error(s)

Even though the branch commit is outdated, f-e-d-c doesn't update the source, as it's not defined as important.

As expect, setting the source as important like the following will not end well.

{
    "type": "git",
    "url": "https://invent.kde.org/qt/qt/qtwebengine-chromium.git",
    "branch": "94-based",
    "commit": "c643145a35e519c38f89bf1282ecc5c1fdb82ade",
    "dest": "src/3rdparty",
    "x-checker-data": {
        "is-important": true
    }
}

$ flatpak-external-data-checker --edit-only --require-important-update qtwebengine.json

ERROR   src.manifest: Error reading source: 'type' is a required property

Failed validating 'required' in schema['properties']['x-checker-data']:
    {'properties': {'arches': {'items': {'type': 'string'},
                               'type': 'array'},
                    'is-important': {'type': 'boolean'},
                    'is-main-source': {'type': 'boolean'},
                    'parent-id': {'type': 'string'},
                    'source-id': {'type': 'string'},
                    'type': {'type': 'string'}},
     'required': ['type'],
     'type': 'object'}

On instance['x-checker-data']:
    OrderedDict([('is-important', True)])
INFO    src.manifest: Checking 1 external data items
INFO    src.manifest: Started check [1/1] git qt6-qtwebengine/qtwebengine.git (from qtwebengine.json)
INFO    src.manifest: Finished check [1/1] git qt6-qtwebengine/qtwebengine.git (from qtwebengine.json)
WARNING src.main: Check finished with 1 error(s)

We got an MR from flathubbot, but it still needed manually merging, see https://github.com/flathub/com.brave.Browser/pull/23.

However, I've enabled automerging, see com.brave.Browser's flathub.json.

I'm not sure exactly what the issue is. Perhaps I wrote it wrongly?

In past week, flatpak-external-data-checker submitted several PRs (e.g. flathub/com.wps.Office#96) to WPS Office flatpak where the checksum (and only it) was changed. The "new" checksum is different each time and seems invalid - re-checking showed that the checksum didn't actually change. It doesn't look like partial read, since the size doesn't change, and no http error occurs.

It would be nice to have a link to each packages chsmgelog in the PRs. For some dependencies I'd like to review them before merging. At least for Pypi I assume a changelog link should be easy enough to get via the API, other platforms could be added on demand.

What do you think about that idea?

In https://github.com/flathub/org.gnome.Evince/pull/110 the script is recommending to downgrade, which is odd unless there is something I am missing.

Update libgxps-0.3.2.tar.xz to 0.2.5

0.3.2 archive was uploaded on 2021-02-26 whereas 0.2.5 on 2017-02-25

• https://download.gnome.org/sources/libgxps/0.3/
• https://download.gnome.org/sources/libgxps/0.2/

Should fix #245

For some reason, tests.test_checker.TestExternalDataChecker finds 3 new versions instead of 2, even without my changes applied: See the latest CI job of this branch, which prints the found sources:

https://github.com/Alexander-Wilms/flatpak-external-data-checker/tree/investigate-test-test_checker_testexternaldatachecker

f-e-d-c is currently used by com.riverbankcomputing.PyQt.BaseApp on 3 different branches. Having the branch (e.g. 5.15-22.08 or 6.3) would make it possible to see which branch is targeted directly in the Notification or the PR list.

Note: This is currently not tested

The Flatpak linter runs inside an environment where IPv6 works, so f-e-d-c tried to use IPv6 to contact a website with a broken IPv6 configuration: https://discourse.flathub.org/t/enforcing-pull-request-workflow-and-green-ci-status-of-prs/3109/4

Ideally, f-e-d-c would show more information about the failed attempt, such as the IP address for the website, so that debugging the problem would be more efficient.

ERROR   src.manifest: Failed to check archive sweethome3d/SweetHome3D-7.0.2-linux-x64.tgz with HTMLChecker: Error querying for new versions: Connection timeout to host http://www.sweethome3d.com/history.jsp

Related to https://github.com/flathub/com.valvesoftware.Steam.CompatibilityTool.Proton-GE/pull/119

Here, f-e-d-c runs against an up-to-date manifest, so there is no new version for the Proton-GE source, but without a new version (an no ability to determine the current one), it's has nothing to put into child sources check urls.

Maybe the fix could be to store the current version under x-checker-data for these checkers where it's not possible to get the current version from the manifest ?