Skip to content

Update dockerfile dependencies#4470

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/dockerfile
Closed

Update dockerfile dependencies#4470
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/dockerfile

Conversation

@renovate

@renovate renovate Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
alpine final minor 3.233.24
docker/dockerfile syntax minor 1.241.25
golang stage digest f1ddd9f3ad5730
mysql final pinDigest 7dcddc0
node final digest 21f403aa0b9bf0

Configuration

📅 Schedule: (in timezone Etc/UTC)

  • Branch creation
    • "after 5pm on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jun 22, 2026
@renovate renovate Bot requested a review from a team as a code owner June 22, 2026 19:37
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jun 22, 2026
@renovate renovate Bot enabled auto-merge (squash) June 22, 2026 19:37

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review of Dockerfile dependency bumps

golang (digest update) and node (digest update)

The Go 1.26-alpine and Node 24-alpine digest pin updates are low-risk -- same tag, newer build. No concerns.

mysql 8.0.46 to 8.4.9 -- Findings below

Bug (High Severity): Hardcoded MySQL 8.0 yum repo URL will break the Docker build

In flow/e2e/test_data/mysql-debug/Dockerfile line 28-29, the yum repo baseurl points to mysql-8.0-community, but the base image is now mysql:8.4.9. The RPM version extracted on line 23 will be an 8.4.x version string, and those packages do not exist in the 8.0 repo -- the microdnf install on lines 34-41 will fail.

For MySQL 8.4 LTS, the repo URL should be:

baseurl=https://repo.mysql.com/yum/mysql-8.4-lts-community/el/9/$basearch/

The repo name (mysql80-community) and display name (MySQL 8.0 Community Server) should also be updated.


Additional upstream regression notes (8.0 to 8.4):

  1. mysql_native_password disabled by default -- MySQL 8.4 no longer loads this plugin. PeerDB e2e tests connect with DisableTls: true; since caching_sha2_password over non-TLS requires RSA public-key exchange, verify the go-mysql client handles this. If not, add --mysql-native-password=ON to the test config.

  2. SHOW MASTER STATUS removed -- Already handled: flow/connectors/mysql/mysql.go:411 version-checks against 8.4.0 and uses SHOW BINARY LOG STATUS. No action needed.

  3. binlog_format deprecated -- flow/e2e/mysql.go:84 runs SET GLOBAL binlog_format=row, which still works in 8.4 but logs a deprecation warning.

  4. Removed InnoDB variables -- If any config sets innodb_log_file_size or innodb_log_files_in_group, MySQL 8.4 will refuse to start (replaced by innodb_redo_log_capacity).

  5. mysqld-debug assertions -- MySQL 8.4 changed InnoDB internals. New debug assertions may fire at runtime that did not exist in 8.0.

No PII/secret exposure concerns

The changes are limited to image tag/digest updates in Dockerfiles. No risk of leaking sensitive data.

@claude

claude Bot commented Jun 22, 2026

Copy link
Copy Markdown

Code review

Found 1 issue. Checked for bugs and CLAUDE.md compliance.

flow/e2e/test_data/mysql-debug/Dockerfile (line 9)

Bug: Docker build will fail — yum repo URL hardcoded to MySQL 8.0

This bumps the base image from 8.0.46 to 8.4.9, but the yum repository configuration at lines 26-28 is still hardcoded to the MySQL 8.0 Community repo (mysql-8.0-community). The Dockerfile extracts the RPM version from the base image (line 23), which will now be 8.4.x. It then tries to install those 8.4.x packages from the mysql-8.0-community repo where they do not exist, causing microdnf install to fail.

Fix: Update lines 26-28 to reference the MySQL 8.4 LTS repo — change mysql80-community to mysql84-lts-community, update the name, and change the baseurl from mysql-8.0-community to mysql-8.4-lts-community.

Flagged per REVIEW.md: dependency bump regression check.

@renovate renovate Bot force-pushed the renovate/dockerfile branch from 49df77f to ea87cf6 Compare June 23, 2026 06:41

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed: Dockerfile dependency bumps (golang digest, mysql 8.0→8.4, node digest)

Upstream release-notes check (per REVIEW.md)

golang:1.26-alpine (digest-only): Routine rebuild, includes Go 1.26.4 security patches (archive/tar, crypto/tls, crypto/x509, html/template, os). No regressions. ✅

node:24-alpine (digest-only): Security rebuild patching 12 CVEs from the June 18 2026 coordinated release, including two HIGH-severity fixes (CVE-2026-48933 WebCrypto DoS, CVE-2026-48618 TLS hostname normalization bypass). No regressions. ✅

mysql 8.0.46 → 8.4.9: MySQL 8.4 is the current LTS. Major changes relevant to PeerDB:

  • Old MASTER/SLAVE replication syntax hard-removed → already handled by version-gated code in mysql.go:411-421 and validation.go:273-283. ✅
  • expire_logs_days variable removed → retention.go already routes MySQL ≥ 8.0.1 to binlog_expire_logs_seconds. ✅
  • mysql_native_password disabled by default → no references found in the codebase. ✅
  • No PII/secret exposure concerns. ✅

One issue found — see inline comment on the Dockerfile.

# entrypoint's config checks, datadir initialization, and temporary init server keep using the
# release binary because the debug binary can trip InnoDB assertions on that path.
ARG MYSQL_VERSION=8.0.46
ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: yum repo URL still points to mysql-8.0-community, will break the Docker build

The base image is now mysql:8.4.9, so the RPM version extracted on line 23 (rpm -q ... mysql-community-server-minimal) will be an 8.4.9 version string. But the yum repo configured on line 28 still points to:

baseurl=https://repo.mysql.com/yum/mysql-8.0-community/el/9/$basearch/

The 8.0 repo does not carry 8.4.x packages, so the microdnf install on lines 33–42 will fail with package-not-found errors for every mysql-community-*-${mysql_rpm_version} package.

Fix: Update line 28 to:

baseurl=https://repo.mysql.com/yum/mysql-8.4-community/el/9/$basearch/

and update the section name (line 26) and description (line 27) to match (mysql84-community / MySQL 8.4 Community Server).

@renovate renovate Bot force-pushed the renovate/dockerfile branch from ea87cf6 to 434c8be Compare June 23, 2026 10:40

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency bump review

Reviewed the four Dockerfile dependency bumps. Three are safe; the MySQL 8.0 → 8.4 jump has a build-breaking issue (see inline comment).

Alpine 3.23 → 3.24 ✅

No issues for PeerDB-relevant packages (ca-certificates, geos, postgresql-client, curl, iputils, openssl). All remain in main. Breaking changes (removed GTK2/Qt5, pkg_resources dropped from setuptools) don't affect these Dockerfiles.

golang:1.26-alpine digest update ✅

Picks up Go 1.26.4 — a security patch fixing quadratic complexity in mime and crypto/x509, plus a net/textproto fix. Also rebased onto Alpine 3.24. Beneficial, no regressions.

node:24-alpine digest update ✅

Picks up Node.js 24.17.0 — a security release patching 12 CVEs including HIGH-severity WebCrypto crash and TLS wildcard verification bypass. Rebased onto Alpine 3.24. Beneficial, no regressions.

MySQL 8.0.46 → 8.4.9 ⚠️

This is a major series jump (8.0 → 8.4). PeerDB's Go CDC code already handles 8.4's new commands (SHOW BINARY LOG STATUS / SHOW REPLICA STATUS with fallbacks), so the connector itself is compatible. However, the Dockerfile has a build-breaking issue — see inline comment.

Key MySQL 8.4 behavior changes to be aware of (not blocking, but worth noting):

  • mysql_native_password is disabled by default — PeerDB tests may need --mysql-native-password=ON or must use caching_sha2_password
  • binlog_format locked to ROW (beneficial for CDC, no action needed)
  • InnoDB defaults changed (innodb_io_capacity 200→10000, innodb_flush_method fsync→O_DIRECT, etc.)

# plus mysqld-debug, then route only the final foreground server to mysqld-debug. The stock
# entrypoint's config checks, datadir initialization, and temporary init server keep using the
# release binary because the debug binary can trip InnoDB assertions on that path.
ARG MYSQL_VERSION=8.0.46

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build-breaking: The yum repo URL on lines 26-28 is hardcoded to mysql-8.0-community:

'[mysql80-community]'
'name=MySQL 8.0 Community Server'
'baseurl=https://repo.mysql.com/yum/mysql-8.0-community/el/9/$basearch/'

But the base image is now mysql:8.4.9. When the Dockerfile queries the RPM version from the 8.4.9 base image (line 23) and then tries to install packages at that version from the 8.0 repo, it will fail — the mysql-8.0-community repo only contains 8.0.x packages (up to 8.0.45).

The repo needs to be updated to mysql-8.4-community (confirmed it exists at https://repo.mysql.com/yum/mysql-8.4-community/el/9/x86_64/ with debug packages through 8.4.8).

Suggested fix:

'[mysql84-community]'
'name=MySQL 8.4 Community Server'
'baseurl=https://repo.mysql.com/yum/mysql-8.4-community/el/9/$basearch/'

Additionally, the 8.4.9 debug RPM may not yet be published in the repo (latest available is 8.4.8 as of this review). You may want to pin to 8.4.8 until 8.4.9 packages land, or verify the 8.4.9 RPMs are available before merging.

@renovate renovate Bot force-pushed the renovate/dockerfile branch from 434c8be to 1bc53bf Compare June 23, 2026 11:12
@claude

claude Bot commented Jun 23, 2026

Copy link
Copy Markdown

Dockerfile dependency bump review

Bug found: MySQL debug Dockerfile repo URL mismatch

File: flow/e2e/test_data/mysql-debug/Dockerfile, line 28

The base image is now mysql:8.4.9, so rpm -q ... mysql-community-server-minimal will return an 8.4.x RPM version. But the YUM repo configured on line 28 still points to mysql-8.0-community, which won't carry 8.4 packages. The microdnf install on lines 35-41 will fail with package-not-found errors.

The section header, name, and baseurl need updating for MySQL 8.4 -- the repo is likely mysql-8.4-lts-community (8.4 is the current LTS series).

Additionally, docker-bake.hcl (not in this diff) still has default = "8.0.46" -- it should be updated to 8.4.9 to match.


Upstream regression check (per REVIEW.md)

  • alpine 3.23 to 3.24: No impact on packages used in these Dockerfiles (ca-certificates, geos, postgresql-client, curl, iputils, openssl). Breaking changes limited to py3-setuptools/GTK2/Qt5 removals.
  • golang digest update: Same 1.26-alpine tag, routine rebuild -- no risk.
  • node digest update: Same 24-alpine tag, routine rebuild -- no risk.
  • mysql 8.0.46 to 8.4.9: Significant jump across release series. Key changes that could affect PeerDB CDC tests:
    • mysql_native_password is deprecated and disabled by default -- if test users authenticate with it, tests will fail unless --mysql-native-password=ON is set.
    • SHOW MASTER STATUS is removed -- but PeerDB's Go connector already handles this with version detection (flow/connectors/mysql/mysql.go:417-421).
    • Many InnoDB defaults changed (innodb_change_buffering=none, innodb_flush_method=O_DIRECT, innodb_io_capacity=10000, etc.) -- unlikely to break correctness but may affect performance.
    • binlog_format must be ROW when writeset-based conflict detection is used -- PeerDB already uses ROW.
    • default_authentication_plugin system variable is removed; replaced by authentication_policy.

The build breakage from the wrong repo URL is the blocking issue.

@renovate renovate Bot force-pushed the renovate/dockerfile branch 2 times, most recently from af0909f to 6597cbf Compare June 23, 2026 18:04
@claude

claude Bot commented Jun 23, 2026

Copy link
Copy Markdown

Dependency Bump Review

Alpine 3.23 to 3.24 - Clean: No breaking changes for the packages used by PeerDB (ca-certificates, geos, postgresql-client, curl, iputils, openssl). The main 3.24 removals (GTK2, Qt5, pkg_resources) do not affect these Dockerfiles.

Go 1.26 digest update - Clean: Routine rebuild picking up Go 1.26.4 with minor security fixes in crypto/x509, mime, and net/textproto. No concerns.

Node 24 digest update - Clean: This pulls in Node.js 24.17.0 which addresses 12 CVEs including 2 HIGH-severity (CVE-2026-48933: WebCrypto crash; CVE-2026-48618: TLS hostname normalization bypass for wildcard certs). Good to merge promptly.

MySQL 8.0.46 to 8.4.9 - Needs manual fix before merge: This is a major series jump (8.0 to 8.4 LTS). PeerDB Go connector code already handles the MySQL 8.4 syntax changes, so the runtime CDC path is fine. However, the Dockerfile itself will break - see inline comment on the Dockerfile for details about the hardcoded yum repo URL. Additionally, two related files were not updated by Renovate and still hardcode 8.0.46: .github/workflows/mysql-debug-docker.yml (lines 9 and 24) and flow/e2e/test_data/mysql-debug/docker-bake.hcl (line 2). Since the CI workflow overrides the Dockerfile ARG with 8.0.46, this PR Dockerfile change is effectively a no-op in CI today. All three files need to be updated together for the MySQL 8.4 bump to actually take effect.

# entrypoint's config checks, datadir initialization, and temporary init server keep using the
# release binary because the debug binary can trip InnoDB assertions on that path.
ARG MYSQL_VERSION=8.0.46
ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug - build will fail with MySQL 8.4. The yum repo configured on lines 26-31 is hardcoded to mysql-8.0-community. With the base image now at 8.4.9, line 23 extracts an RPM version like 8.4.9-1.el9.x86_64, but the 8.0 repo will not carry 8.4.x packages, so microdnf install will fail to resolve them. The repo section needs to be updated for MySQL 8.4 LTS (e.g. mysql-8.4-lts-community). The exact repo name should be verified against https://repo.mysql.com/yum/. Also note: mysql_native_password is disabled by default in MySQL 8.4. If the e2e test setup creates users with mysql_native_password auth, those connections will fail unless --mysql-native-password=ON is added to the server config or users are created with caching_sha2_password.

@claude

claude Bot commented Jun 23, 2026

Copy link
Copy Markdown

Dockerfile dependency bump review

Upstream release-note findings:

golang digest bump (1.26-alpine) - Go 1.26.4 security patch (3 CVEs: MIME header CPU exhaustion, unescaped input in error messages, quadratic cost in x509 VerifyHostname). No regressions reported. Safe to take.

node digest bump (24-alpine) - Node.js 24.17.0 security release (11 CVEs, 2 HIGH: WebCrypto DoS via integer overflow, TLS hostname normalization bypass). No regressions reported. Recommended to merge promptly.

alpine 3.23 to 3.24 - Minor note: postgresql-client may now resolve to postgresql17-client (was postgresql16-client in 3.23). Unlikely to cause issues since it is only used for psql CLI in the runtime image, but worth being aware of. No other regressions for the packages used (ca-certificates, geos, curl, iputils, openssl).

mysql 8.0.46 to 8.4.9 - This is the highest-risk change. MySQL 8.0 to 8.4 is a major series jump with significant breaking changes for CDC/replication workloads. See detailed findings below.

No PII/secret leaks in the diff - all changes are base image references with digest pins.


MySQL 8.0 to 8.4 - version inconsistency and build concerns (flow/e2e/test_data/mysql-debug/Dockerfile:9)

This ARG default was bumped to 8.4.9, but two other files still reference 8.0.46:

  1. flow/e2e/test_data/mysql-debug/docker-bake.hcl:2 - default is still 8.0.46. Since docker-bake passes MYSQL_VERSION as a build arg, it overrides this Dockerfile ARG default. In CI builds via bake, the image would still be built from mysql:8.0.46, making this Dockerfile change effectively a no-op.

  2. flow/e2e/clickhouse_mysql_test.go:1491 - hardcodes the image tag ghcr.io/peerdb-io/mysql-debug:8.0.46. The bake file tags images as mysql-debug:MYSQL_VERSION, so even if bake were updated to 8.4.9, the test would still reference the old 8.0.46 tag.

Additionally, if 8.4.9 is actually used (bypassing bake), lines 26-28 of the Dockerfile hardcode the MySQL 8.0 yum repo (baseurl mysql-8.0-community). The RPM version extracted on line 23 would be 8.4.x, which will not exist in the 8.0 repo - the microdnf install would fail. The repo config, section name ([mysql80-community]), and description all need updating for 8.4.

MySQL 8.0 to 8.4 also brings several breaking changes relevant to this test image:

  • mysql_native_password is disabled by default in 8.4 - may need --mysql-native-password=ON in the mysqld Cmd flags if e2e tests connect with that auth plugin
  • --binlog-format=ROW (used at clickhouse_mysql_test.go:1501) is deprecated in 8.4 (ROW is the only format) - likely produces a warning but should not be fatal
  • Several system variables removed (binlog_transaction_dependency_tracking, expire_logs_days, default_authentication_plugin)

The good news: PeerDB connector code already uses the new replication syntax (SHOW BINARY LOG STATUS, SHOW REPLICA STATUS) with version-checking fallbacks (see flow/connectors/mysql/mysql.go:411 and flow/pkg/mysql/validation.go:273), so the connector itself should work with 8.4.

Recommendation: Either update docker-bake.hcl, clickhouse_mysql_test.go, and the repo URL in the Dockerfile together, or keep MySQL at 8.0 until a dedicated PR handles the 8.0 to 8.4 migration holistically.

@renovate renovate Bot force-pushed the renovate/dockerfile branch from 6597cbf to 9bb39ad Compare June 23, 2026 19:12
@claude

claude Bot commented Jun 23, 2026

Copy link
Copy Markdown

Dependency Bump Review -- Dockerfile dependencies

Reviewed bumps:

Package Change Risk
alpine 3.23 to 3.24 Low -- no breaking changes for Go/Rust services
golang digest update (same 1.26-alpine) None -- rebuilt image, same Go version
node digest update (same 24-alpine) None -- rebuilt image, same Node version
mysql 8.0.46 to 8.4.9 High -- see below

Build-breaking bug in mysql-debug Dockerfile (flow/e2e/test_data/mysql-debug/Dockerfile lines 26-28):
The yum repo URL is hardcoded to mysql-8.0-community but the base image is now mysql:8.4.9. Line 23 extracts the RPM version from the 8.4 base image, then lines 33-41 try to install those 8.4.x packages from the 8.0 repo -- which does not have them. The Docker build will fail. The repo config needs to be updated to mysql-8.4-lts-community.

Other upstream changes (lower risk):

  1. mysql_native_password disabled by default -- verify test user auth still works with caching_sha2_password.
  2. Legacy replication SQL removed (SHOW MASTER STATUS, etc.) -- PeerDB already has version-aware fallbacks (flow/connectors/mysql/mysql.go:410-421).
  3. binlog_format deprecated -- only ROW supported. PeerDB requires ROW so this is fine.
  4. log_bin_use_v1_row_events removed -- v1 row events gone.

# plus mysqld-debug, then route only the final foreground server to mysqld-debug. The stock
# entrypoint's config checks, datadir initialization, and temporary init server keep using the
# release binary because the debug binary can trip InnoDB assertions on that path.
ARG MYSQL_VERSION=8.0.46

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug (build-breaking): Bumping to 8.4.9 here will break the Docker build. Lines 26-28 (not shown in diff) hardcode the yum repo to mysql-8.0-community. When the base image is 8.4, line 23 extracts an 8.4.x RPM version, then lines 33-41 try to install those packages from the 8.0 repo -- which does not carry them. The repo config (lines 26-28) needs to be updated to mysql-8.4-lts-community.

@renovate renovate Bot force-pushed the renovate/dockerfile branch from 9bb39ad to d493e97 Compare June 24, 2026 02:08
# entrypoint's config checks, datadir initialization, and temporary init server keep using the
# release binary because the debug binary can trip InnoDB assertions on that path.
ARG MYSQL_VERSION=8.0.46
ARG MYSQL_VERSION=8.4.10@sha256:563602a18ffd5be220968e8508d84c9dcd80fbffe69e28af51572db29e3285b2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build will likely break: hardcoded mysql-8.0-community repo URL is incompatible with MySQL 8.4 base image.

The YUM repo on line 28 points to mysql-8.0-community but the base image is now mysql:8.4.10. The mysql-community-server-debug RPM at 8.4.x is not in the 8.0 repo -- the correct repo is mysql-8.4-lts-community. microdnf install (lines 34-42) will fail to find the debug package at the version extracted from the 8.4 base image.

Also inconsistent with references still pinned to 8.0.46:

  • .github/workflows/mysql-debug-docker.yml lines 9+24 default to 8.0.46
  • flow/e2e/clickhouse_mysql_test.go:1491 references ghcr.io/peerdb-io/mysql-debug:8.0.46

MySQL 8.0->8.4 breaking changes relevant to CDC:

  • SHOW SLAVE STATUS removed (fallback in validation.go:277 handles this)
  • mysql_native_password disabled by default
  • InnoDB defaults changed (innodb_io_capacity 200->10000, innodb_change_buffering all->none)

Recommendation: exclude this file from the Renovate bump and handle 8.0->8.4 in a dedicated PR.

Comment thread stacks/mysql.Dockerfile Outdated
# 1. Build the image: docker build -f mysql.Dockerfile --tag 'bin_mysql' .
# 2. Run the container: docker run --name alala -e MYSQL_ROOT_PASSWORD=<some password> -p 3306:3306 -d bin_mysql
FROM mysql:9.7.0@sha256:c11782aa2a96624c1efc121768641d96954faa136d6aa82751b032d8c426ffbc
FROM mysql:9.7.1@sha256:e370cd5f64599d46985b7729b452f2153825246f88d82753ec595c5dfc6fef6a

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MySQL 9.7.0->9.7.1: Low risk. Security patch (2026-06-16). No CDC/replication behavioral changes expected. Looks good.

Comment thread stacks/flow.Dockerfile

FROM golang:1.26-alpine@sha256:f1ddd9fe14fffc091dd98cb4bfa999f32c5fc77d2f2305ea9f0e2595c5437c14 AS builder
FROM golang:1.26-alpine@sha256:3ad57304ad93bbec8548a0437ad9e06a455660655d9af011d58b993f6f615648 AS builder
# Allow build flags to be passed in at build time, for example debug flags

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

golang digest + Alpine 3.23->3.24: Low risk. Golang is same version (1.26), new digest only. Alpine 3.24 has no breaking changes for PeerDB packages (ca-certificates, geos, openssl, postgresql-client, curl). Looks good.

Comment thread stacks/peerdb-ui.Dockerfile Outdated

# Base stage
FROM node:24-alpine@sha256:21f403ab171f2dc89bad4dd69d7721bfd15f084ccb46cdd225f31f2bc59b5c9a AS base
FROM node:24-alpine@sha256:156b55f92e98ccd5ef49578a8cea0df4679826564bad1c9d4ef04462b9f0ded6 AS base

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Node 24-alpine digest update: Low risk. Same tag, new digest. Looks good.

cp target/${BUILD_MODE}/peerdb-server /root/target/

FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11
FROM alpine:3.24@sha256:28bd5fe8b56d1bd048e5babf5b10710ebe0bae67db86916198a6eec434943f8b

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alpine 3.23->3.24: Low risk. Same assessment as flow.Dockerfile -- no breaking changes for packages used here (ca-certificates, postgresql-client, curl, iputils). Looks good.

@claude

claude Bot commented Jun 24, 2026

Copy link
Copy Markdown

Renovate Dockerfile bump review

Reviewed all five dependency bumps in this PR with upstream release notes. Summary:

Bump Risk Notes
Alpine 3.23 -> 3.24 Low No breaking changes for PeerDB packages
golang 1.26 digest Low Same version, routine rebuild
node 24 digest Low Same version, routine rebuild
MySQL 9.7.0 -> 9.7.1 Low Security patch only
MySQL 8.0.46 -> 8.4.10 High Build-breaking: repo URL hardcoded to 8.0, inconsistent with CI/tests, multiple behavioral changes

Action needed: The MySQL debug Dockerfile bump from 8.0 to 8.4 will break the build (hardcoded mysql-8.0-community YUM repo won't have 8.4 packages) and is inconsistent with CI workflow defaults and test image references that still pin to 8.0.46. See inline comment for details and recommendation.

No PII/secret exposure concerns in any of the changes.

@renovate renovate Bot force-pushed the renovate/dockerfile branch from d493e97 to c3c4f07 Compare June 24, 2026 06:01
@claude

claude Bot commented Jun 24, 2026

Copy link
Copy Markdown

Renovate Dockerfile dependency bump review

Bumps reviewed:

Package Change Assessment
alpine 3.23 to 3.24 Safe. No breaking changes for PeerDB packages. musl 1.2.5 to 1.2.6 is safe for Go/Rust binaries.
golang 1.26-alpine digest bump Safe. Go 1.26.4 with security fixes to crypto/x509, mime, net/textproto.
node 24-alpine digest bump Safe. Node.js 24.17.0 patches 12 CVEs including 2 HIGH severity.
mysql 8.0.46 to 8.4.9 Regression risk -- see findings below.

Finding 1: Bug (High) -- Docker build will fail due to yum repo URL mismatch

File: flow/e2e/test_data/mysql-debug/Dockerfile line 9 (changed) + lines 26-29 (not changed)

The base image is now mysql:8.4.9, but lines 28-29 still hardcode the 8.0 yum repo (mysql-8.0-community). When mysql_rpm_version resolves to 8.4.9-... from the 8.4 base image, microdnf install will fail because the 8.0 repo does not carry 8.4.x packages. The repo URL and name need to change to the 8.4 equivalent (e.g. mysql-8.4-lts-community).

Additionally, several other files still hardcode 8.0.46 and were not updated by Renovate:

  • .github/workflows/mysql-debug-docker.yml lines 9, 24 (workflow_dispatch default and env fallback)
  • flow/e2e/test_data/mysql-debug/docker-bake.hcl line 2 (default variable)
  • flow/e2e/clickhouse_mysql_test.go line 1491 (hardcoded image tag)

Since the CI workflow overrides MYSQL_VERSION to 8.0.46, the CI build may accidentally pass masking the Dockerfile default breakage.


Finding 2: Warning (High) -- MySQL 8.0 to 8.4 has CDC-relevant breaking changes

MySQL 8.4 is a different release series from 8.0 with several changes that affect PeerDB binlog-based CDC:

  1. mysql_native_password disabled by default -- only caching_sha2_password is loaded. Connections may fail without explicit enablement.
  2. SHOW MASTER STATUS / CHANGE MASTER TO / replication terminology removed -- replaced by SHOW BINARY LOG STATUS, CHANGE REPLICATION SOURCE TO, etc.
  3. binlog_format deprecated -- flow/e2e/mysql.go:93 runs SET GLOBAL binlog_format=row which may error on 8.4 (ROW is the only format).
  4. expire_logs_days removed -- use binlog_expire_logs_seconds.
  5. binlog_transaction_dependency_tracking removed.

This bump needs validation that PeerDB MySQL connector and e2e tests work with MySQL 8.4 before merging. Consider keeping the mysql-debug image on 8.0 or bumping it as a separate PR with the necessary code changes.

@renovate renovate Bot force-pushed the renovate/dockerfile branch from c3c4f07 to 3294f55 Compare June 24, 2026 07:51
# entrypoint's config checks, datadir initialization, and temporary init server keep using the
# release binary because the debug binary can trip InnoDB assertions on that path.
ARG MYSQL_VERSION=8.0.46
ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug (build-breaking): The yum repo configured on lines 26-32 still points to the MySQL 8.0 community repo (baseurl=.../mysql-8.0-community/...), but the base image is now MySQL 8.4.9.

The build extracts the RPM version from mysql-community-server-minimal (which will be 8.4.9-...) and then tries to install mysql-community-server-debug from the 8.0 repo. The 8.0 repo does not carry 8.4.x packages, so microdnf install will fail with a package-not-found error.

The repo config needs to be updated to point to the 8.4 repo:

  • [mysql80-community] should be [mysql84-community]
  • name=MySQL 8.0 Community Server should be name=MySQL 8.4 Community Server
  • baseurl should use mysql-8.4-community instead of mysql-8.0-community

(Or better yet, derive the repo path from the major.minor version dynamically so future bumps do not hit this again.)

FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11
FROM alpine:3.24@sha256:28bd5fe8b56d1bd048e5babf5b10710ebe0bae67db86916198a6eec434943f8b
ENV TZ=UTC
RUN apk add --no-cache ca-certificates postgresql-client curl iputils && \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug (build-breaking): Alpine 3.24 removed the unversioned postgresql-client meta-package. Only versioned variants exist now (postgresql16-client, postgresql17-client, postgresql18-client).

This apk add will fail with ERROR: unable to select packages: postgresql-client. Needs to be changed to a versioned package name, e.g. postgresql17-client.

@renovate renovate Bot force-pushed the renovate/dockerfile branch from 39d38bd to d2a6705 Compare June 26, 2026 08:33
@claude

claude Bot commented Jun 26, 2026

Copy link
Copy Markdown

Renovate Dockerfile dependency bump review

Alpine 3.23 to 3.24: Clean. Breaking changes (py3-setuptools pkg_resources removal, GTK reshuffling) do not affect PeerDB minimal Alpine usage (ca-certificates, geos, openssl, postgresql-client, curl, iputils).

golang 1.26-alpine digest update: Contains Go 1.26.2+ security patches (crypto/tls, crypto/x509). Clean.

node 24-alpine digest update: June 2026 security release patching 12 CVEs including 2 HIGH-severity (CVE-2026-48933 WebCrypto DoS, CVE-2026-48618 TLS hostname verification bypass). Clean.

mysql 8.0.46 to 8.4.9: The version bump in the Dockerfile ARG is effectively a no-op because it is always overridden at build time by:

  • docker-bake.hcl line 2 still has default = "8.0.46"
  • .github/workflows/mysql-debug-docker.yml lines 9 and 24 still default to 8.0.46

Both the bake file and workflow pass MYSQL_VERSION as a build arg, so this Dockerfile default never takes effect. The built image will still use MySQL 8.0.46.

If the intent is to bump to 8.4, those two files need matching updates. Additionally, the yum repo URL on Dockerfile line 28 hardcodes mysql-8.0-community/el/9/ but MySQL 8.4 packages live under mysql-8.4-lts-community, so that would also need updating for the build to succeed with 8.4.

# entrypoint's config checks, datadir initialization, and temporary init server keep using the
# release binary because the debug binary can trip InnoDB assertions on that path.
ARG MYSQL_VERSION=8.0.46
ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: version bump is a no-op. This ARG default is always overridden at build time. See the PR comment for details on which files need matching updates.

@renovate renovate Bot force-pushed the renovate/dockerfile branch from d2a6705 to febcc60 Compare June 26, 2026 09:57
@claude

claude Bot commented Jun 26, 2026

Copy link
Copy Markdown

Dockerfile dependency bump review

Alpine 3.23 to 3.24: Safe. No breaking changes for packages PeerDB uses (ca-certificates, geos, postgresql-client, curl, iputils, openssl). musl 1.2.6 has a minor pwrite/O_APPEND behavior change on kernels <6.9 -- not relevant here.

docker/dockerfile 1.24 to 1.25: Safe. Additive features only (resource limits, network proxy). No Dockerfile syntax breaking changes.

golang 1.26-alpine digest update: Safe. Routine rebuild, no version change.

node 24-alpine digest update: Safe/positive. Picks up security fixes (Node.js 24.17.0).

MySQL 8.0.46 to 8.4.9: This is a major series jump with multiple issues:

Issue 1 - Build-time failure: yum repo still points to mysql-8.0-community (HIGH)

In flow/e2e/test_data/mysql-debug/Dockerfile, the base image is now mysql:8.4.9, so rpm -q mysql-community-server-minimal (line 23) will extract an 8.4.x version string. But lines 26-28 create a yum repo pointing to mysql-8.0-community. That repo does not contain 8.4 RPMs. The microdnf install on lines 34-42 will fail because it tries to install 8.4.x versioned RPMs from a repo that only has 8.0 packages. The repo URL needs to change to the appropriate 8.4 repo path (e.g. mysql-8.4-lts-community).

Issue 2 - Companion files not updated (MEDIUM)

  • flow/e2e/test_data/mysql-debug/docker-bake.hcl line 2 still defaults MYSQL_VERSION = 8.0.46 -- needs to match the Dockerfile new default.
  • flow/e2e/clickhouse_mysql_test.go line 1738 hard-codes the image tag ghcr.io/peerdb-io/mysql-debug:8.0.46 -- needs updating to match the rebuilt image tag.

Issue 3 - Deprecated flag (LOW, optional)

--binlog-format=ROW (test line 1748) is deprecated in MySQL 8.4. It still works but may emit warnings. ROW is the only supported format going forward, so the flag could be removed.

Issue 4 - MySQL 8.4 CDC compatibility (OK, already handled)

PeerDB connector code already handles the SHOW MASTER STATUS removal via version detection (mysql.go:414-425). mysql_native_password is disabled by default in 8.4 but the test uses root with caching_sha2_password, which should be fine.

@renovate renovate Bot force-pushed the renovate/dockerfile branch from febcc60 to f51788c Compare June 26, 2026 13:05

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the Dockerfile dependency bumps. Checked upstream release notes for all five updates (alpine 3.23 to 3.24, dockerfile syntax 1.24 to 1.25, golang digest, node digest, mysql 8.0 to 8.4). One finding below; the rest look clean.

Summary of upstream checks:

  • alpine 3.24: musl 1.2.5 to 1.2.6 (bug fixes, no breaking ABI changes). Core packages used by PeerDB (ca-certificates, geos, postgresql-client, openssl) unchanged or minor bumps. Low risk.
  • dockerfile 1.25: Additive only, adds optional CPU/memory resource limits on RUN steps. No breaking changes.
  • golang digest: Same 1.26-alpine tag, updated digest pin. No version change.
  • node digest: Same 24-alpine tag, updated digest pin. No version change.
  • mysql 8.0 to 8.4: Significant version jump. PeerDB CDC code already handles the 8.4 API changes. CI already tests against MySQL 9.5 for GTID mode. However, the debug Dockerfile has a repo URL mismatch (details below).

No PII/secret exposure concerns in this diff.


Finding: Bug in flow/e2e/test_data/mysql-debug/Dockerfile (line 9)

This PR bumps the default MYSQL_VERSION ARG from 8.0.46 to 8.4.9, but the YUM repo configuration on lines 27-28 is still hardcoded to mysql-8.0-community. If the Dockerfile is built with the new default (8.4.9), the base image will contain mysql-community-server-minimal at version 8.4.x, and line 23 will extract that version. Then microdnf install on lines 34-41 will try to find mysql-community-server-debug-8.4.x in the 8.0 repo, which will not have it. The build will fail.

Additionally, .github/workflows/mysql-debug-docker.yml still overrides the version to 8.0.46 (lines 9, 24), so CI builds currently work, but the Dockerfile default is now inconsistent with both the repo URL and the CI workflow.

Suggested fix: Either:

  1. Keep the Dockerfile ARG at 8.0.46 (exclude it from this Renovate bump), or
  2. Update the repo URL to mysql-8.4-lts-community, update the CI workflow default to 8.4.9, and verify that mysql-community-server-debug is available for 8.4.x in that repo.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 Flaky Test Detected

Analysis: Two BigQuery e2e tests timed out in WaitFor polling loops (rows/schema never propagated to BigQuery within ~215-246s) on a Renovate dockerfile-only PR that touches no Go code, indicating an external-service propagation-latency flake rather than a real bug.
Confidence: 0.9

✅ Automatically retrying the workflow

View workflow run

@renovate renovate Bot force-pushed the renovate/dockerfile branch from f51788c to 8dacaf6 Compare June 26, 2026 21:48

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed: Dockerfile dependency bumps

Upstream release-note check per REVIEW.md:

  • Alpine 3.23 → 3.24: No breaking changes for the packages PeerDB uses (ca-certificates, geos, postgresql-client, curl, iputils, openssl). Toolchain bumps (LLVM 22, Rust 1.96, Go 1.26) don't affect pre-built binaries. Low risk.
  • docker/dockerfile 1.24 → 1.25 (BuildKit frontend): Purely additive — adds resource-limit support for RUN steps. No breaking changes or regressions documented.
  • golang 1.26-alpine digest update: Same Go version, just a rebuild digest. No behavioral change.
  • node 24-alpine digest update: Same Node version, just a rebuild digest. No behavioral change.
  • MySQL 8.0.46 → 8.4.9: See inline comment — the yum repo URL in the debug Dockerfile needs updating, and this is a significant major version jump with removed SQL statements and changed defaults. The PeerDB connector code itself already handles MySQL 8.4 properly (version-aware SHOW BINARY LOG STATUS, SHOW REPLICA STATUS, binlog_expire_logs_seconds), but the Dockerfile will likely fail to build.

No PII/secret exposure concerns in any of these changes.

# entrypoint's config checks, datadir initialization, and temporary init server keep using the
# release binary because the debug binary can trip InnoDB assertions on that path.
ARG MYSQL_VERSION=8.0.46
ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: yum repo URL at line 28 still points to mysql-8.0-community after this bump to MySQL 8.4

With this change, mysql_rpm_version (line 23) will resolve to an 8.4.x RPM version string. But the yum repo configured at line 28 points to mysql-8.0-community, which only hosts 8.0.x packages. The microdnf install at lines 34-41 will fail because packages like mysql-community-server-debug-8.4.9 don't exist in the 8.0 repo.

The repo section (lines 26-31) needs to be updated for 8.4. The MySQL 8.4 LTS repo path is mysql-8.4-lts-community:

  • Line 26: mysql80-community -> mysql84-lts-community
  • Line 27: MySQL 8.0 Community Server -> MySQL 8.4 LTS Community Server
  • Line 28: mysql-8.0-community -> mysql-8.4-lts-community

Additionally: MySQL 8.0 to 8.4 is a significant version jump with CDC-relevant changes:

  • mysql_native_password is disabled by default - test containers may need --mysql-native-password=ON
  • binlog_format variable is deprecated (ROW is the only supported format - good for PeerDB)
  • gtid_mode defaults to ON (good for PeerDB CDC)
  • Tagged GTIDs (UUID:TAG:NUMBER) are a new format that binlog parsers should handle

The PeerDB connector code already handles 8.4 properly (version-aware SQL for SHOW BINARY LOG STATUS, SHOW REPLICA STATUS, binlog_expire_logs_seconds), so the main concerns are: (1) this Dockerfile build breakage, and (2) potential test auth issues from mysql_native_password being off by default.

@renovate renovate Bot force-pushed the renovate/dockerfile branch from 8dacaf6 to 04e5ed1 Compare June 26, 2026 21:56
# entrypoint's config checks, datadir initialization, and temporary init server keep using the
# release binary because the debug binary can trip InnoDB assertions on that path.
ARG MYSQL_VERSION=8.0.46
ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MySQL 8.0 to 8.4 bump is inconsistent with surrounding files and will break standalone builds.

This ARG default was bumped to 8.4.9, but three other files still reference 8.0.46:

  1. docker-bake.hcl line 2 (overrides the Dockerfile ARG in CI)
  2. mysql-debug-docker.yml lines 9 and 24
  3. clickhouse_mysql_test.go line 1738

Because docker-bake.hcl overrides MYSQL_VERSION at build time, CI still builds with 8.0.46 -- this Dockerfile change is effectively a no-op in the pipeline.

Worse, if someone builds the Dockerfile standalone (using this new default), it will fail: the yum repo URL on line 28 is hardcoded to mysql-8.0-community, which does not carry 8.4 packages. The RPM version extracted from the 8.4 base image will not be found in that repo.

If an upgrade to MySQL 8.4 is intended, all four files need updating and the yum repo URL needs to change to the 8.4-lts-community path. PeerDB Go code already handles 8.4 (SHOW BINARY LOG STATUS, SHOW REPLICA STATUS, binlog_expire_logs_seconds), so the application side is ready -- it is only the build infrastructure that needs alignment.

If the intent is to stay on 8.0 for now, this Dockerfile change should be reverted or Renovate should be configured to pin MySQL to 8.0.x.

@claude

claude Bot commented Jun 26, 2026

Copy link
Copy Markdown

Dependency Bump Review

No PII/secrets concerns -- all changes are version/digest updates in Dockerfiles.

Upstream release notes check:

  • Alpine 3.23 to 3.24: Clean. No breaking changes for ca-certificates, geos, openssl, postgresql-client, curl, iputils.
  • BuildKit syntax 1.24 to 1.25: Clean. New per-step resource limits, COPY --exclude promoted to GA. Backward compatible.
  • golang digest update (still 1.26-alpine): Clean. Routine rebuild.
  • node digest update (still 24-alpine): Clean. Routine rebuild.
  • MySQL 8.0.46 to 8.4.9: Needs attention -- see inline comment. Dockerfile bumped but docker-bake.hcl, CI workflow, and Go test still reference 8.0.46. Also, hardcoded 8.0 yum repo URL will break standalone builds.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 Flaky Test Detected

Analysis: The GCS e2e test's body passed but its Teardown raced on S3 cleanup (DeleteObject → 404 NoSuchKey), an unrelated flaky teardown race on a Renovate dockerfile-deps PR that cannot affect this code path.
Confidence: 0.92

✅ Automatically retrying the workflow

View workflow run

@renovate renovate Bot force-pushed the renovate/dockerfile branch from 04e5ed1 to 05f712f Compare June 29, 2026 18:40
@claude

claude Bot commented Jun 29, 2026

Copy link
Copy Markdown

Dependency bump review — MySQL 8.0 to 8.4 requires Dockerfile fix

Reviewed the upstream release notes for all five bumped dependencies:

Dependency Bump Risk
MySQL 8.0.46 to 8.4.9 High — build-breaking (details below)
Alpine 3.23 to 3.24 Low — removed packages (GTK, Qt5, pkg_resources) are not used by PeerDB
docker/dockerfile 1.24 to 1.25 Low — OCI media types now default; adds CPU/memory resource limits
golang digest update None — same 1.26-alpine, patch rebuild only
node digest update None — same 24-alpine, patch rebuild only

MySQL 8.0 to 8.4 upstream changes: MySQL 8.4 removes old replication syntax (SHOW MASTER STATUS, SHOW SLAVE STATUS, CHANGE MASTER TO, etc.) and disables mysql_native_password by default. PeerDB Go connector code already handles version-dependent syntax correctly (flow/connectors/mysql/mysql.go:415-425 uses SHOW BINARY LOG STATUS with fallback; flow/pkg/mysql/validation.go:273-284 tries SHOW REPLICA STATUS first). So the connector side is fine.

Build-breaking issue in mysql-debug Dockerfile: This PR bumps the base image to MySQL 8.4.9, but the yum repo URL on line 29 is still hardcoded to mysql-8.0-community. The build extracts the RPM version from the 8.4.9 base image (line 23), then tries to install mysql-community-server at that version from the 8.0 repo — but 8.4.x packages do not exist there. The correct repo is mysql-8.4-community. The repo name (line 27) and section header (line 26) also need updating.

Additionally, two other files reference the old version and need coordinated updates:

  • flow/e2e/test_data/mysql-debug/docker-bake.hcl line 2: default still set to 8.0.46
  • flow/e2e/clickhouse_mysql_test.go line 1738: image tag still references 8.0.46

Other bumps look clean: Alpine 3.24 removed packages (GTK2, Qt5, pkg_resources) are not used by PeerDB containers. Dockerfile syntax 1.25 adds resource limits and defaults to OCI media types — no breaking impact. Golang and node are digest-only rebuilds.

No PII/secret exposure concerns — the diff only changes image tags and SHA digests.

# entrypoint's config checks, datadir initialization, and temporary init server keep using the
# release binary because the debug binary can trip InnoDB assertions on that path.
ARG MYSQL_VERSION=8.0.46
ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build-breaking: This bumps the base image to MySQL 8.4.9, but the yum repo URL on line 29 is still hardcoded to mysql-8.0-community. The build extracts the RPM version from the 8.4.9 base image (line 23), then tries to install mysql-community-server at that version from the 8.0 repo -- but 8.4.x packages do not exist there. The correct repo for MySQL 8.4 is mysql-8.4-community. The repo name (line 27) and section header (line 26) also need updating. Additionally, docker-bake.hcl line 2 still defaults to 8.0.46, and clickhouse_mysql_test.go line 1738 still references the 8.0.46 image tag.

@claude

claude Bot commented Jun 29, 2026

Copy link
Copy Markdown

Code review

Found 1 issue. Checked for bugs and CLAUDE.md compliance.

MySQL yum repository mismatch (build failure)

The base image is bumped from MySQL 8.0.46 to 8.4.9, but the yum repository configuration in the RUN block (lines 26-28) still points to mysql-8.0-community. Oracle MySQL yum repos are partitioned by major version series — 8.4.x packages live under mysql-8.4-lts-community, not mysql-8.0-community. The build will extract an 8.4.x RPM version from the base image and then fail to find those packages in the 8.0 repo.

See inline comment on the Dockerfile for details and suggested fix.

Per REVIEW.md: dependency bumps must be checked for regressions.

Also noting for awareness: MySQL 8.4 removed legacy replication SQL commands (SHOW MASTER STATUS, CHANGE MASTER TO, START SLAVE, etc.), but PeerDB's connector code already handles this with version-gated logic.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 Flaky Test Detected

Analysis: 137 e2e tests failed simultaneously with uniform setup/WaitFor timeouts (not assertion errors) on only the slowest of three matrix combos, on a Renovate Dockerfile-bump PR that cannot cause logic failures — a shared-infrastructure stall under high concurrency, i.e. flaky.
Confidence: 0.95

✅ Automatically retrying the workflow

View workflow run

@renovate renovate Bot force-pushed the renovate/dockerfile branch from 05f712f to df93982 Compare June 29, 2026 19:22
@claude

claude Bot commented Jun 29, 2026

Copy link
Copy Markdown

Review: Dockerfile dependency bumps

MySQL 8.0.46 to 8.4.9 (flow/e2e/test_data/mysql-debug/Dockerfile)

Regression risk — hardcoded yum repo URL will break 8.4 builds:

The Dockerfile ARG default is bumped to 8.4.9, but line 29 still hardcodes the yum repo URL to mysql-8.0-community:

baseurl=https://repo.mysql.com/yum/mysql-8.0-community/el/9/$basearch/

MySQL 8.4 RPMs are not published in the 8.0 repo — they live in mysql-8.4-lts-community. When this Dockerfile is built with version 8.4.9 (locally without a build-arg override, or if CI defaults are later updated to match), microdnf install on line 34 will fail because it cannot find mysql-community-server-8.4.9-* packages in the 8.0 repo.

Additionally, several other references still pin 8.0.46 and would need coordinated updates:

  • .github/workflows/mysql-debug-docker.yml lines 9 and 24 — CI workflow defaults
  • flow/e2e/test_data/mysql-debug/docker-bake.hcl line 2 — bake file default
  • flow/e2e/clickhouse_mysql_test.go line 1738 — hardcoded image tag ghcr.io/peerdb-io/mysql-debug:8.0.46

Note: In CI today the build arg overrides this ARG default with 8.0.46, so CI will not break immediately. But the Dockerfile ARG change is misleading — local builds will fail, and completing the upgrade later will require fixing the repo URL.

Upstream assessment: MySQL 8.4 is the LTS series; 8.4.9 is GA. CDC-relevant behavior (binlog row format, GTID, row-based replication) is preserved. mysql_native_password is disabled by default in 8.4 but caching_sha2_password is handled by the Go driver. --binlog-format=ROW (used in the test command at clickhouse_mysql_test.go:1749) is deprecated but still functional. Low regression risk for PeerDB CDC usage if the repo URL and other references are fixed.

Other bumps — all clean

  • Alpine 3.23 to 3.24: No breaking changes for Go/Rust runtimes. Same OpenSSL and geos versions. musl bumped to 1.2.6 (CVE fix, no behavioral impact on server workloads).
  • dockerfile syntax 1.24 to 1.25: Additive features only (resource limits on RUN steps). No breaking changes in the Dockerfile frontend.
  • golang digest update: Same 1.26-alpine tag, new digest only.
  • node digest update: Same 24-alpine tag, new digest only.

No PII/secret exposure concerns in any of the changes.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 Flaky Test Detected

Analysis: TestResyncWithSnapshotConfigOnPausedPipe failed because the parallel sibling test TestMongoDBOplogRetentionValidation temporarily lowers the shared mongo instance's oplog retention to 23h, causing a transient, timing-dependent validation race unrelated to this Renovate dockerfile PR.
Confidence: 0.93

✅ Automatically retrying the workflow

View workflow run

@ilidemi

ilidemi commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Good job Claude, opened #4512 then this can be retriggered

@ilidemi

ilidemi commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Closing to incorporate main

@ilidemi ilidemi closed this Jun 29, 2026
auto-merge was automatically disabled June 29, 2026 21:58

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant