Update dockerfile dependencies#4470
Conversation
There was a problem hiding this comment.
Review of Dockerfile dependency bumps
golang (digest update) and node (digest update)
The Go 1.26-alpine and Node 24-alpine digest pin updates are low-risk -- same tag, newer build. No concerns.
mysql 8.0.46 to 8.4.9 -- Findings below
Bug (High Severity): Hardcoded MySQL 8.0 yum repo URL will break the Docker build
In flow/e2e/test_data/mysql-debug/Dockerfile line 28-29, the yum repo baseurl points to mysql-8.0-community, but the base image is now mysql:8.4.9. The RPM version extracted on line 23 will be an 8.4.x version string, and those packages do not exist in the 8.0 repo -- the microdnf install on lines 34-41 will fail.
For MySQL 8.4 LTS, the repo URL should be:
baseurl=https://repo.mysql.com/yum/mysql-8.4-lts-community/el/9/$basearch/
The repo name (mysql80-community) and display name (MySQL 8.0 Community Server) should also be updated.
Additional upstream regression notes (8.0 to 8.4):
-
mysql_native_passworddisabled by default -- MySQL 8.4 no longer loads this plugin. PeerDB e2e tests connect withDisableTls: true; sincecaching_sha2_passwordover non-TLS requires RSA public-key exchange, verify thego-mysqlclient handles this. If not, add--mysql-native-password=ONto the test config. -
SHOW MASTER STATUSremoved -- Already handled:flow/connectors/mysql/mysql.go:411version-checks against8.4.0and usesSHOW BINARY LOG STATUS. No action needed. -
binlog_formatdeprecated --flow/e2e/mysql.go:84runsSET GLOBAL binlog_format=row, which still works in 8.4 but logs a deprecation warning. -
Removed InnoDB variables -- If any config sets
innodb_log_file_sizeorinnodb_log_files_in_group, MySQL 8.4 will refuse to start (replaced byinnodb_redo_log_capacity). -
mysqld-debugassertions -- MySQL 8.4 changed InnoDB internals. New debug assertions may fire at runtime that did not exist in 8.0.
No PII/secret exposure concerns
The changes are limited to image tag/digest updates in Dockerfiles. No risk of leaking sensitive data.
Code reviewFound 1 issue. Checked for bugs and CLAUDE.md compliance. flow/e2e/test_data/mysql-debug/Dockerfile (line 9)Bug: Docker build will fail — yum repo URL hardcoded to MySQL 8.0 This bumps the base image from 8.0.46 to 8.4.9, but the yum repository configuration at lines 26-28 is still hardcoded to the MySQL 8.0 Community repo (mysql-8.0-community). The Dockerfile extracts the RPM version from the base image (line 23), which will now be 8.4.x. It then tries to install those 8.4.x packages from the mysql-8.0-community repo where they do not exist, causing microdnf install to fail. Fix: Update lines 26-28 to reference the MySQL 8.4 LTS repo — change mysql80-community to mysql84-lts-community, update the name, and change the baseurl from mysql-8.0-community to mysql-8.4-lts-community. Flagged per REVIEW.md: dependency bump regression check. |
49df77f to
ea87cf6
Compare
There was a problem hiding this comment.
Reviewed: Dockerfile dependency bumps (golang digest, mysql 8.0→8.4, node digest)
Upstream release-notes check (per REVIEW.md)
golang:1.26-alpine (digest-only): Routine rebuild, includes Go 1.26.4 security patches (archive/tar, crypto/tls, crypto/x509, html/template, os). No regressions. ✅
node:24-alpine (digest-only): Security rebuild patching 12 CVEs from the June 18 2026 coordinated release, including two HIGH-severity fixes (CVE-2026-48933 WebCrypto DoS, CVE-2026-48618 TLS hostname normalization bypass). No regressions. ✅
mysql 8.0.46 → 8.4.9: MySQL 8.4 is the current LTS. Major changes relevant to PeerDB:
- Old
MASTER/SLAVEreplication syntax hard-removed → already handled by version-gated code inmysql.go:411-421andvalidation.go:273-283. ✅ expire_logs_daysvariable removed →retention.goalready routes MySQL ≥ 8.0.1 tobinlog_expire_logs_seconds. ✅mysql_native_passworddisabled by default → no references found in the codebase. ✅- No PII/secret exposure concerns. ✅
One issue found — see inline comment on the Dockerfile.
| # entrypoint's config checks, datadir initialization, and temporary init server keep using the | ||
| # release binary because the debug binary can trip InnoDB assertions on that path. | ||
| ARG MYSQL_VERSION=8.0.46 | ||
| ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084 |
There was a problem hiding this comment.
Bug: yum repo URL still points to mysql-8.0-community, will break the Docker build
The base image is now mysql:8.4.9, so the RPM version extracted on line 23 (rpm -q ... mysql-community-server-minimal) will be an 8.4.9 version string. But the yum repo configured on line 28 still points to:
baseurl=https://repo.mysql.com/yum/mysql-8.0-community/el/9/$basearch/
The 8.0 repo does not carry 8.4.x packages, so the microdnf install on lines 33–42 will fail with package-not-found errors for every mysql-community-*-${mysql_rpm_version} package.
Fix: Update line 28 to:
baseurl=https://repo.mysql.com/yum/mysql-8.4-community/el/9/$basearch/
and update the section name (line 26) and description (line 27) to match (mysql84-community / MySQL 8.4 Community Server).
ea87cf6 to
434c8be
Compare
There was a problem hiding this comment.
Dependency bump review
Reviewed the four Dockerfile dependency bumps. Three are safe; the MySQL 8.0 → 8.4 jump has a build-breaking issue (see inline comment).
Alpine 3.23 → 3.24 ✅
No issues for PeerDB-relevant packages (ca-certificates, geos, postgresql-client, curl, iputils, openssl). All remain in main. Breaking changes (removed GTK2/Qt5, pkg_resources dropped from setuptools) don't affect these Dockerfiles.
golang:1.26-alpine digest update ✅
Picks up Go 1.26.4 — a security patch fixing quadratic complexity in mime and crypto/x509, plus a net/textproto fix. Also rebased onto Alpine 3.24. Beneficial, no regressions.
node:24-alpine digest update ✅
Picks up Node.js 24.17.0 — a security release patching 12 CVEs including HIGH-severity WebCrypto crash and TLS wildcard verification bypass. Rebased onto Alpine 3.24. Beneficial, no regressions.
MySQL 8.0.46 → 8.4.9 ⚠️
This is a major series jump (8.0 → 8.4). PeerDB's Go CDC code already handles 8.4's new commands (SHOW BINARY LOG STATUS / SHOW REPLICA STATUS with fallbacks), so the connector itself is compatible. However, the Dockerfile has a build-breaking issue — see inline comment.
Key MySQL 8.4 behavior changes to be aware of (not blocking, but worth noting):
mysql_native_passwordis disabled by default — PeerDB tests may need--mysql-native-password=ONor must usecaching_sha2_passwordbinlog_formatlocked to ROW (beneficial for CDC, no action needed)- InnoDB defaults changed (
innodb_io_capacity200→10000,innodb_flush_methodfsync→O_DIRECT, etc.)
| # plus mysqld-debug, then route only the final foreground server to mysqld-debug. The stock | ||
| # entrypoint's config checks, datadir initialization, and temporary init server keep using the | ||
| # release binary because the debug binary can trip InnoDB assertions on that path. | ||
| ARG MYSQL_VERSION=8.0.46 |
There was a problem hiding this comment.
Build-breaking: The yum repo URL on lines 26-28 is hardcoded to mysql-8.0-community:
'[mysql80-community]'
'name=MySQL 8.0 Community Server'
'baseurl=https://repo.mysql.com/yum/mysql-8.0-community/el/9/$basearch/'
But the base image is now mysql:8.4.9. When the Dockerfile queries the RPM version from the 8.4.9 base image (line 23) and then tries to install packages at that version from the 8.0 repo, it will fail — the mysql-8.0-community repo only contains 8.0.x packages (up to 8.0.45).
The repo needs to be updated to mysql-8.4-community (confirmed it exists at https://repo.mysql.com/yum/mysql-8.4-community/el/9/x86_64/ with debug packages through 8.4.8).
Suggested fix:
'[mysql84-community]'
'name=MySQL 8.4 Community Server'
'baseurl=https://repo.mysql.com/yum/mysql-8.4-community/el/9/$basearch/'
Additionally, the 8.4.9 debug RPM may not yet be published in the repo (latest available is 8.4.8 as of this review). You may want to pin to 8.4.8 until 8.4.9 packages land, or verify the 8.4.9 RPMs are available before merging.
434c8be to
1bc53bf
Compare
Dockerfile dependency bump reviewBug found: MySQL debug Dockerfile repo URL mismatchFile: The base image is now The section header, name, and Additionally, Upstream regression check (per REVIEW.md)
The build breakage from the wrong repo URL is the blocking issue. |
af0909f to
6597cbf
Compare
Dependency Bump ReviewAlpine 3.23 to 3.24 - Clean: No breaking changes for the packages used by PeerDB (ca-certificates, geos, postgresql-client, curl, iputils, openssl). The main 3.24 removals (GTK2, Qt5, pkg_resources) do not affect these Dockerfiles. Go 1.26 digest update - Clean: Routine rebuild picking up Go 1.26.4 with minor security fixes in crypto/x509, mime, and net/textproto. No concerns. Node 24 digest update - Clean: This pulls in Node.js 24.17.0 which addresses 12 CVEs including 2 HIGH-severity (CVE-2026-48933: WebCrypto crash; CVE-2026-48618: TLS hostname normalization bypass for wildcard certs). Good to merge promptly. MySQL 8.0.46 to 8.4.9 - Needs manual fix before merge: This is a major series jump (8.0 to 8.4 LTS). PeerDB Go connector code already handles the MySQL 8.4 syntax changes, so the runtime CDC path is fine. However, the Dockerfile itself will break - see inline comment on the Dockerfile for details about the hardcoded yum repo URL. Additionally, two related files were not updated by Renovate and still hardcode 8.0.46: .github/workflows/mysql-debug-docker.yml (lines 9 and 24) and flow/e2e/test_data/mysql-debug/docker-bake.hcl (line 2). Since the CI workflow overrides the Dockerfile ARG with 8.0.46, this PR Dockerfile change is effectively a no-op in CI today. All three files need to be updated together for the MySQL 8.4 bump to actually take effect. |
| # entrypoint's config checks, datadir initialization, and temporary init server keep using the | ||
| # release binary because the debug binary can trip InnoDB assertions on that path. | ||
| ARG MYSQL_VERSION=8.0.46 | ||
| ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084 |
There was a problem hiding this comment.
Bug - build will fail with MySQL 8.4. The yum repo configured on lines 26-31 is hardcoded to mysql-8.0-community. With the base image now at 8.4.9, line 23 extracts an RPM version like 8.4.9-1.el9.x86_64, but the 8.0 repo will not carry 8.4.x packages, so microdnf install will fail to resolve them. The repo section needs to be updated for MySQL 8.4 LTS (e.g. mysql-8.4-lts-community). The exact repo name should be verified against https://repo.mysql.com/yum/. Also note: mysql_native_password is disabled by default in MySQL 8.4. If the e2e test setup creates users with mysql_native_password auth, those connections will fail unless --mysql-native-password=ON is added to the server config or users are created with caching_sha2_password.
Dockerfile dependency bump reviewUpstream release-note findings: golang digest bump (1.26-alpine) - Go 1.26.4 security patch (3 CVEs: MIME header CPU exhaustion, unescaped input in error messages, quadratic cost in x509 VerifyHostname). No regressions reported. Safe to take. node digest bump (24-alpine) - Node.js 24.17.0 security release (11 CVEs, 2 HIGH: WebCrypto DoS via integer overflow, TLS hostname normalization bypass). No regressions reported. Recommended to merge promptly. alpine 3.23 to 3.24 - Minor note: postgresql-client may now resolve to postgresql17-client (was postgresql16-client in 3.23). Unlikely to cause issues since it is only used for psql CLI in the runtime image, but worth being aware of. No other regressions for the packages used (ca-certificates, geos, curl, iputils, openssl). mysql 8.0.46 to 8.4.9 - This is the highest-risk change. MySQL 8.0 to 8.4 is a major series jump with significant breaking changes for CDC/replication workloads. See detailed findings below. No PII/secret leaks in the diff - all changes are base image references with digest pins. MySQL 8.0 to 8.4 - version inconsistency and build concerns (flow/e2e/test_data/mysql-debug/Dockerfile:9) This ARG default was bumped to 8.4.9, but two other files still reference 8.0.46:
Additionally, if 8.4.9 is actually used (bypassing bake), lines 26-28 of the Dockerfile hardcode the MySQL 8.0 yum repo (baseurl mysql-8.0-community). The RPM version extracted on line 23 would be 8.4.x, which will not exist in the 8.0 repo - the microdnf install would fail. The repo config, section name ([mysql80-community]), and description all need updating for 8.4. MySQL 8.0 to 8.4 also brings several breaking changes relevant to this test image:
The good news: PeerDB connector code already uses the new replication syntax (SHOW BINARY LOG STATUS, SHOW REPLICA STATUS) with version-checking fallbacks (see flow/connectors/mysql/mysql.go:411 and flow/pkg/mysql/validation.go:273), so the connector itself should work with 8.4. Recommendation: Either update docker-bake.hcl, clickhouse_mysql_test.go, and the repo URL in the Dockerfile together, or keep MySQL at 8.0 until a dedicated PR handles the 8.0 to 8.4 migration holistically. |
6597cbf to
9bb39ad
Compare
Dependency Bump Review -- Dockerfile dependenciesReviewed bumps:
Build-breaking bug in mysql-debug Dockerfile (flow/e2e/test_data/mysql-debug/Dockerfile lines 26-28): Other upstream changes (lower risk):
|
| # plus mysqld-debug, then route only the final foreground server to mysqld-debug. The stock | ||
| # entrypoint's config checks, datadir initialization, and temporary init server keep using the | ||
| # release binary because the debug binary can trip InnoDB assertions on that path. | ||
| ARG MYSQL_VERSION=8.0.46 |
There was a problem hiding this comment.
Bug (build-breaking): Bumping to 8.4.9 here will break the Docker build. Lines 26-28 (not shown in diff) hardcode the yum repo to mysql-8.0-community. When the base image is 8.4, line 23 extracts an 8.4.x RPM version, then lines 33-41 try to install those packages from the 8.0 repo -- which does not carry them. The repo config (lines 26-28) needs to be updated to mysql-8.4-lts-community.
9bb39ad to
d493e97
Compare
| # entrypoint's config checks, datadir initialization, and temporary init server keep using the | ||
| # release binary because the debug binary can trip InnoDB assertions on that path. | ||
| ARG MYSQL_VERSION=8.0.46 | ||
| ARG MYSQL_VERSION=8.4.10@sha256:563602a18ffd5be220968e8508d84c9dcd80fbffe69e28af51572db29e3285b2 |
There was a problem hiding this comment.
Build will likely break: hardcoded mysql-8.0-community repo URL is incompatible with MySQL 8.4 base image.
The YUM repo on line 28 points to mysql-8.0-community but the base image is now mysql:8.4.10. The mysql-community-server-debug RPM at 8.4.x is not in the 8.0 repo -- the correct repo is mysql-8.4-lts-community. microdnf install (lines 34-42) will fail to find the debug package at the version extracted from the 8.4 base image.
Also inconsistent with references still pinned to 8.0.46:
.github/workflows/mysql-debug-docker.ymllines 9+24 default to8.0.46flow/e2e/clickhouse_mysql_test.go:1491referencesghcr.io/peerdb-io/mysql-debug:8.0.46
MySQL 8.0->8.4 breaking changes relevant to CDC:
SHOW SLAVE STATUSremoved (fallback invalidation.go:277handles this)mysql_native_passworddisabled by default- InnoDB defaults changed (
innodb_io_capacity200->10000,innodb_change_bufferingall->none)
Recommendation: exclude this file from the Renovate bump and handle 8.0->8.4 in a dedicated PR.
| # 1. Build the image: docker build -f mysql.Dockerfile --tag 'bin_mysql' . | ||
| # 2. Run the container: docker run --name alala -e MYSQL_ROOT_PASSWORD=<some password> -p 3306:3306 -d bin_mysql | ||
| FROM mysql:9.7.0@sha256:c11782aa2a96624c1efc121768641d96954faa136d6aa82751b032d8c426ffbc | ||
| FROM mysql:9.7.1@sha256:e370cd5f64599d46985b7729b452f2153825246f88d82753ec595c5dfc6fef6a |
There was a problem hiding this comment.
MySQL 9.7.0->9.7.1: Low risk. Security patch (2026-06-16). No CDC/replication behavioral changes expected. Looks good.
|
|
||
| FROM golang:1.26-alpine@sha256:f1ddd9fe14fffc091dd98cb4bfa999f32c5fc77d2f2305ea9f0e2595c5437c14 AS builder | ||
| FROM golang:1.26-alpine@sha256:3ad57304ad93bbec8548a0437ad9e06a455660655d9af011d58b993f6f615648 AS builder | ||
| # Allow build flags to be passed in at build time, for example debug flags |
There was a problem hiding this comment.
golang digest + Alpine 3.23->3.24: Low risk. Golang is same version (1.26), new digest only. Alpine 3.24 has no breaking changes for PeerDB packages (ca-certificates, geos, openssl, postgresql-client, curl). Looks good.
|
|
||
| # Base stage | ||
| FROM node:24-alpine@sha256:21f403ab171f2dc89bad4dd69d7721bfd15f084ccb46cdd225f31f2bc59b5c9a AS base | ||
| FROM node:24-alpine@sha256:156b55f92e98ccd5ef49578a8cea0df4679826564bad1c9d4ef04462b9f0ded6 AS base |
There was a problem hiding this comment.
Node 24-alpine digest update: Low risk. Same tag, new digest. Looks good.
| cp target/${BUILD_MODE}/peerdb-server /root/target/ | ||
|
|
||
| FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 | ||
| FROM alpine:3.24@sha256:28bd5fe8b56d1bd048e5babf5b10710ebe0bae67db86916198a6eec434943f8b |
There was a problem hiding this comment.
Alpine 3.23->3.24: Low risk. Same assessment as flow.Dockerfile -- no breaking changes for packages used here (ca-certificates, postgresql-client, curl, iputils). Looks good.
Renovate Dockerfile bump reviewReviewed all five dependency bumps in this PR with upstream release notes. Summary:
Action needed: The MySQL debug Dockerfile bump from 8.0 to 8.4 will break the build (hardcoded No PII/secret exposure concerns in any of the changes. |
d493e97 to
c3c4f07
Compare
Renovate Dockerfile dependency bump reviewBumps reviewed:
Finding 1: Bug (High) -- Docker build will fail due to yum repo URL mismatch File: The base image is now Additionally, several other files still hardcode
Since the CI workflow overrides Finding 2: Warning (High) -- MySQL 8.0 to 8.4 has CDC-relevant breaking changes MySQL 8.4 is a different release series from 8.0 with several changes that affect PeerDB binlog-based CDC:
This bump needs validation that PeerDB MySQL connector and e2e tests work with MySQL 8.4 before merging. Consider keeping the mysql-debug image on 8.0 or bumping it as a separate PR with the necessary code changes. |
c3c4f07 to
3294f55
Compare
| # entrypoint's config checks, datadir initialization, and temporary init server keep using the | ||
| # release binary because the debug binary can trip InnoDB assertions on that path. | ||
| ARG MYSQL_VERSION=8.0.46 | ||
| ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084 |
There was a problem hiding this comment.
Bug (build-breaking): The yum repo configured on lines 26-32 still points to the MySQL 8.0 community repo (baseurl=.../mysql-8.0-community/...), but the base image is now MySQL 8.4.9.
The build extracts the RPM version from mysql-community-server-minimal (which will be 8.4.9-...) and then tries to install mysql-community-server-debug from the 8.0 repo. The 8.0 repo does not carry 8.4.x packages, so microdnf install will fail with a package-not-found error.
The repo config needs to be updated to point to the 8.4 repo:
[mysql80-community]should be[mysql84-community]name=MySQL 8.0 Community Servershould bename=MySQL 8.4 Community Serverbaseurlshould usemysql-8.4-communityinstead ofmysql-8.0-community
(Or better yet, derive the repo path from the major.minor version dynamically so future bumps do not hit this again.)
| FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 | ||
| FROM alpine:3.24@sha256:28bd5fe8b56d1bd048e5babf5b10710ebe0bae67db86916198a6eec434943f8b | ||
| ENV TZ=UTC | ||
| RUN apk add --no-cache ca-certificates postgresql-client curl iputils && \ |
There was a problem hiding this comment.
Bug (build-breaking): Alpine 3.24 removed the unversioned postgresql-client meta-package. Only versioned variants exist now (postgresql16-client, postgresql17-client, postgresql18-client).
This apk add will fail with ERROR: unable to select packages: postgresql-client. Needs to be changed to a versioned package name, e.g. postgresql17-client.
39d38bd to
d2a6705
Compare
Renovate Dockerfile dependency bump reviewAlpine 3.23 to 3.24: Clean. Breaking changes (py3-setuptools pkg_resources removal, GTK reshuffling) do not affect PeerDB minimal Alpine usage (ca-certificates, geos, openssl, postgresql-client, curl, iputils). golang 1.26-alpine digest update: Contains Go 1.26.2+ security patches (crypto/tls, crypto/x509). Clean. node 24-alpine digest update: June 2026 security release patching 12 CVEs including 2 HIGH-severity (CVE-2026-48933 WebCrypto DoS, CVE-2026-48618 TLS hostname verification bypass). Clean. mysql 8.0.46 to 8.4.9: The version bump in the Dockerfile ARG is effectively a no-op because it is always overridden at build time by:
Both the bake file and workflow pass MYSQL_VERSION as a build arg, so this Dockerfile default never takes effect. The built image will still use MySQL 8.0.46. If the intent is to bump to 8.4, those two files need matching updates. Additionally, the yum repo URL on Dockerfile line 28 hardcodes |
| # entrypoint's config checks, datadir initialization, and temporary init server keep using the | ||
| # release binary because the debug binary can trip InnoDB assertions on that path. | ||
| ARG MYSQL_VERSION=8.0.46 | ||
| ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084 |
There was a problem hiding this comment.
Bug: version bump is a no-op. This ARG default is always overridden at build time. See the PR comment for details on which files need matching updates.
d2a6705 to
febcc60
Compare
Dockerfile dependency bump reviewAlpine 3.23 to 3.24: Safe. No breaking changes for packages PeerDB uses (ca-certificates, geos, postgresql-client, curl, iputils, openssl). musl 1.2.6 has a minor pwrite/O_APPEND behavior change on kernels <6.9 -- not relevant here. docker/dockerfile 1.24 to 1.25: Safe. Additive features only (resource limits, network proxy). No Dockerfile syntax breaking changes. golang 1.26-alpine digest update: Safe. Routine rebuild, no version change. node 24-alpine digest update: Safe/positive. Picks up security fixes (Node.js 24.17.0). MySQL 8.0.46 to 8.4.9: This is a major series jump with multiple issues: Issue 1 - Build-time failure: yum repo still points to mysql-8.0-community (HIGH) In flow/e2e/test_data/mysql-debug/Dockerfile, the base image is now mysql:8.4.9, so rpm -q mysql-community-server-minimal (line 23) will extract an 8.4.x version string. But lines 26-28 create a yum repo pointing to mysql-8.0-community. That repo does not contain 8.4 RPMs. The microdnf install on lines 34-42 will fail because it tries to install 8.4.x versioned RPMs from a repo that only has 8.0 packages. The repo URL needs to change to the appropriate 8.4 repo path (e.g. mysql-8.4-lts-community). Issue 2 - Companion files not updated (MEDIUM)
Issue 3 - Deprecated flag (LOW, optional) --binlog-format=ROW (test line 1748) is deprecated in MySQL 8.4. It still works but may emit warnings. ROW is the only supported format going forward, so the flag could be removed. Issue 4 - MySQL 8.4 CDC compatibility (OK, already handled) PeerDB connector code already handles the SHOW MASTER STATUS removal via version detection (mysql.go:414-425). mysql_native_password is disabled by default in 8.4 but the test uses root with caching_sha2_password, which should be fine. |
febcc60 to
f51788c
Compare
There was a problem hiding this comment.
Reviewed the Dockerfile dependency bumps. Checked upstream release notes for all five updates (alpine 3.23 to 3.24, dockerfile syntax 1.24 to 1.25, golang digest, node digest, mysql 8.0 to 8.4). One finding below; the rest look clean.
Summary of upstream checks:
- alpine 3.24: musl 1.2.5 to 1.2.6 (bug fixes, no breaking ABI changes). Core packages used by PeerDB (ca-certificates, geos, postgresql-client, openssl) unchanged or minor bumps. Low risk.
- dockerfile 1.25: Additive only, adds optional CPU/memory resource limits on RUN steps. No breaking changes.
- golang digest: Same 1.26-alpine tag, updated digest pin. No version change.
- node digest: Same 24-alpine tag, updated digest pin. No version change.
- mysql 8.0 to 8.4: Significant version jump. PeerDB CDC code already handles the 8.4 API changes. CI already tests against MySQL 9.5 for GTID mode. However, the debug Dockerfile has a repo URL mismatch (details below).
No PII/secret exposure concerns in this diff.
Finding: Bug in flow/e2e/test_data/mysql-debug/Dockerfile (line 9)
This PR bumps the default MYSQL_VERSION ARG from 8.0.46 to 8.4.9, but the YUM repo configuration on lines 27-28 is still hardcoded to mysql-8.0-community. If the Dockerfile is built with the new default (8.4.9), the base image will contain mysql-community-server-minimal at version 8.4.x, and line 23 will extract that version. Then microdnf install on lines 34-41 will try to find mysql-community-server-debug-8.4.x in the 8.0 repo, which will not have it. The build will fail.
Additionally, .github/workflows/mysql-debug-docker.yml still overrides the version to 8.0.46 (lines 9, 24), so CI builds currently work, but the Dockerfile default is now inconsistent with both the repo URL and the CI workflow.
Suggested fix: Either:
- Keep the Dockerfile ARG at 8.0.46 (exclude it from this Renovate bump), or
- Update the repo URL to mysql-8.4-lts-community, update the CI workflow default to 8.4.9, and verify that mysql-community-server-debug is available for 8.4.x in that repo.
🔄 Flaky Test DetectedAnalysis: Two BigQuery e2e tests timed out in WaitFor polling loops (rows/schema never propagated to BigQuery within ~215-246s) on a Renovate dockerfile-only PR that touches no Go code, indicating an external-service propagation-latency flake rather than a real bug. ✅ Automatically retrying the workflow |
f51788c to
8dacaf6
Compare
There was a problem hiding this comment.
Reviewed: Dockerfile dependency bumps
Upstream release-note check per REVIEW.md:
- Alpine 3.23 → 3.24: No breaking changes for the packages PeerDB uses (
ca-certificates,geos,postgresql-client,curl,iputils,openssl). Toolchain bumps (LLVM 22, Rust 1.96, Go 1.26) don't affect pre-built binaries. Low risk. - docker/dockerfile 1.24 → 1.25 (BuildKit frontend): Purely additive — adds resource-limit support for
RUNsteps. No breaking changes or regressions documented. - golang 1.26-alpine digest update: Same Go version, just a rebuild digest. No behavioral change.
- node 24-alpine digest update: Same Node version, just a rebuild digest. No behavioral change.
- MySQL 8.0.46 → 8.4.9: See inline comment — the yum repo URL in the debug Dockerfile needs updating, and this is a significant major version jump with removed SQL statements and changed defaults. The PeerDB connector code itself already handles MySQL 8.4 properly (version-aware
SHOW BINARY LOG STATUS,SHOW REPLICA STATUS,binlog_expire_logs_seconds), but the Dockerfile will likely fail to build.
No PII/secret exposure concerns in any of these changes.
| # entrypoint's config checks, datadir initialization, and temporary init server keep using the | ||
| # release binary because the debug binary can trip InnoDB assertions on that path. | ||
| ARG MYSQL_VERSION=8.0.46 | ||
| ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084 |
There was a problem hiding this comment.
Bug: yum repo URL at line 28 still points to mysql-8.0-community after this bump to MySQL 8.4
With this change, mysql_rpm_version (line 23) will resolve to an 8.4.x RPM version string. But the yum repo configured at line 28 points to mysql-8.0-community, which only hosts 8.0.x packages. The microdnf install at lines 34-41 will fail because packages like mysql-community-server-debug-8.4.9 don't exist in the 8.0 repo.
The repo section (lines 26-31) needs to be updated for 8.4. The MySQL 8.4 LTS repo path is mysql-8.4-lts-community:
- Line 26: mysql80-community -> mysql84-lts-community
- Line 27: MySQL 8.0 Community Server -> MySQL 8.4 LTS Community Server
- Line 28: mysql-8.0-community -> mysql-8.4-lts-community
Additionally: MySQL 8.0 to 8.4 is a significant version jump with CDC-relevant changes:
- mysql_native_password is disabled by default - test containers may need --mysql-native-password=ON
- binlog_format variable is deprecated (ROW is the only supported format - good for PeerDB)
- gtid_mode defaults to ON (good for PeerDB CDC)
- Tagged GTIDs (UUID:TAG:NUMBER) are a new format that binlog parsers should handle
The PeerDB connector code already handles 8.4 properly (version-aware SQL for SHOW BINARY LOG STATUS, SHOW REPLICA STATUS, binlog_expire_logs_seconds), so the main concerns are: (1) this Dockerfile build breakage, and (2) potential test auth issues from mysql_native_password being off by default.
8dacaf6 to
04e5ed1
Compare
| # entrypoint's config checks, datadir initialization, and temporary init server keep using the | ||
| # release binary because the debug binary can trip InnoDB assertions on that path. | ||
| ARG MYSQL_VERSION=8.0.46 | ||
| ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084 |
There was a problem hiding this comment.
MySQL 8.0 to 8.4 bump is inconsistent with surrounding files and will break standalone builds.
This ARG default was bumped to 8.4.9, but three other files still reference 8.0.46:
- docker-bake.hcl line 2 (overrides the Dockerfile ARG in CI)
- mysql-debug-docker.yml lines 9 and 24
- clickhouse_mysql_test.go line 1738
Because docker-bake.hcl overrides MYSQL_VERSION at build time, CI still builds with 8.0.46 -- this Dockerfile change is effectively a no-op in the pipeline.
Worse, if someone builds the Dockerfile standalone (using this new default), it will fail: the yum repo URL on line 28 is hardcoded to mysql-8.0-community, which does not carry 8.4 packages. The RPM version extracted from the 8.4 base image will not be found in that repo.
If an upgrade to MySQL 8.4 is intended, all four files need updating and the yum repo URL needs to change to the 8.4-lts-community path. PeerDB Go code already handles 8.4 (SHOW BINARY LOG STATUS, SHOW REPLICA STATUS, binlog_expire_logs_seconds), so the application side is ready -- it is only the build infrastructure that needs alignment.
If the intent is to stay on 8.0 for now, this Dockerfile change should be reverted or Renovate should be configured to pin MySQL to 8.0.x.
|
Dependency Bump Review No PII/secrets concerns -- all changes are version/digest updates in Dockerfiles. Upstream release notes check:
|
🔄 Flaky Test DetectedAnalysis: The GCS e2e test's body passed but its Teardown raced on S3 cleanup (DeleteObject → 404 NoSuchKey), an unrelated flaky teardown race on a Renovate dockerfile-deps PR that cannot affect this code path. ✅ Automatically retrying the workflow |
04e5ed1 to
05f712f
Compare
Dependency bump review — MySQL 8.0 to 8.4 requires Dockerfile fixReviewed the upstream release notes for all five bumped dependencies:
MySQL 8.0 to 8.4 upstream changes: MySQL 8.4 removes old replication syntax (SHOW MASTER STATUS, SHOW SLAVE STATUS, CHANGE MASTER TO, etc.) and disables mysql_native_password by default. PeerDB Go connector code already handles version-dependent syntax correctly (flow/connectors/mysql/mysql.go:415-425 uses SHOW BINARY LOG STATUS with fallback; flow/pkg/mysql/validation.go:273-284 tries SHOW REPLICA STATUS first). So the connector side is fine. Build-breaking issue in mysql-debug Dockerfile: This PR bumps the base image to MySQL 8.4.9, but the yum repo URL on line 29 is still hardcoded to Additionally, two other files reference the old version and need coordinated updates:
Other bumps look clean: Alpine 3.24 removed packages (GTK2, Qt5, pkg_resources) are not used by PeerDB containers. Dockerfile syntax 1.25 adds resource limits and defaults to OCI media types — no breaking impact. Golang and node are digest-only rebuilds. No PII/secret exposure concerns — the diff only changes image tags and SHA digests. |
| # entrypoint's config checks, datadir initialization, and temporary init server keep using the | ||
| # release binary because the debug binary can trip InnoDB assertions on that path. | ||
| ARG MYSQL_VERSION=8.0.46 | ||
| ARG MYSQL_VERSION=8.4.9@sha256:c36050afdca850f23cef85703f84c7531a5ae155a11b5ee1c60acb09937c4084 |
There was a problem hiding this comment.
Build-breaking: This bumps the base image to MySQL 8.4.9, but the yum repo URL on line 29 is still hardcoded to mysql-8.0-community. The build extracts the RPM version from the 8.4.9 base image (line 23), then tries to install mysql-community-server at that version from the 8.0 repo -- but 8.4.x packages do not exist there. The correct repo for MySQL 8.4 is mysql-8.4-community. The repo name (line 27) and section header (line 26) also need updating. Additionally, docker-bake.hcl line 2 still defaults to 8.0.46, and clickhouse_mysql_test.go line 1738 still references the 8.0.46 image tag.
Code reviewFound 1 issue. Checked for bugs and CLAUDE.md compliance. MySQL yum repository mismatch (build failure)The base image is bumped from MySQL 8.0.46 to 8.4.9, but the yum repository configuration in the RUN block (lines 26-28) still points to See inline comment on the Dockerfile for details and suggested fix. Per REVIEW.md: dependency bumps must be checked for regressions. Also noting for awareness: MySQL 8.4 removed legacy replication SQL commands ( |
🔄 Flaky Test DetectedAnalysis: 137 e2e tests failed simultaneously with uniform setup/WaitFor timeouts (not assertion errors) on only the slowest of three matrix combos, on a Renovate Dockerfile-bump PR that cannot cause logic failures — a shared-infrastructure stall under high concurrency, i.e. flaky. ✅ Automatically retrying the workflow |
05f712f to
df93982
Compare
Review: Dockerfile dependency bumpsMySQL 8.0.46 to 8.4.9 ( Regression risk — hardcoded yum repo URL will break 8.4 builds: The Dockerfile ARG default is bumped to MySQL 8.4 RPMs are not published in the 8.0 repo — they live in Additionally, several other references still pin
Note: In CI today the build arg overrides this ARG default with Upstream assessment: MySQL 8.4 is the LTS series; 8.4.9 is GA. CDC-relevant behavior (binlog row format, GTID, row-based replication) is preserved. Other bumps — all clean
No PII/secret exposure concerns in any of the changes. |
🔄 Flaky Test DetectedAnalysis: TestResyncWithSnapshotConfigOnPausedPipe failed because the parallel sibling test TestMongoDBOplogRetentionValidation temporarily lowers the shared mongo instance's oplog retention to 23h, causing a transient, timing-dependent validation race unrelated to this Renovate dockerfile PR. ✅ Automatically retrying the workflow |
|
Good job Claude, opened #4512 then this can be retriggered |
|
Closing to incorporate main |
Pull request was closed
This PR contains the following updates:
3.23→3.241.24→1.25f1ddd9f→3ad57307dcddc021f403a→a0b9bf0Configuration
📅 Schedule: (in timezone Etc/UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.