[CI] test-migration: install google-auth for cloud_storage_google/google_gmail#103
Merged
Conversation
…gle_gmail geoip2 already covered website; cloud_storage_google (and google_gmail) declare google-auth. google-auth's runtime deps are cachetools/pyasn1-modules/rsa — it does NOT pull cryptography, so it won't disturb the runner's pyOpenSSL. (auth_ldap's python-ldap, which needs apt build libs, is added separately if/when it's marked.)
dnplkndll
added a commit
that referenced
this pull request
Jun 3, 2026
…gle_gmail (#103) geoip2 already covered website; cloud_storage_google (and google_gmail) declare google-auth. google-auth's runtime deps are cachetools/pyasn1-modules/rsa — it does NOT pull cryptography, so it won't disturb the runner's pyOpenSSL. (auth_ldap's python-ldap, which needs apt build libs, is added separately if/when it's marked.)
dnplkndll
added a commit
that referenced
this pull request
Jun 4, 2026
…aphy bump google-auth requires cryptography>=38, which the install would pull, evicting Odoo's pinned cryptography==3.4.8 and desyncing the matched pyopenssl==21.0.0 / urllib3 1.26 stack: pyopenssl 21 reads X509_V_FLAG_NOTIFY_POLICY and urllib3 1.26's contrib.pyopenssl needs cryptography.hazmat.backends.openssl.x509 — both gone in modern cryptography — so `import OpenSSL` fails and base won't load. That killed the migration test for every PR before any script ran (#103 introduced it on 2026-06-03). Drop google-auth (revert to `pip install geoip2`), restoring Odoo 18's native, matched crypto stack so base loads. The per-PR OCA seed has no google-auth-dependent module, so this greens the per-PR test. cloud_storage_google / google_gmail (enriched seed only) hard-require google-auth and need it installed with a cryptography compatible with Odoo 18's urllib3/pyopenssl — tracked separately; pinning that triple is runner-fragile and shouldn't gate the per-PR migration test.
dnplkndll
added a commit
that referenced
this pull request
Jun 4, 2026
…onflict google-auth requires cryptography>=38, which evicts Odoo's pinned cryptography==3.4.8 and desyncs the matched pyopenssl==21.0.0 / urllib3 1.26 stack (X509_V_FLAG_NOTIFY_POLICY and hazmat.backends.openssl.x509 are gone in modern cryptography) → import OpenSSL fails, base won't load, every migration run dies before a script executes. #103 added google-auth on 2026-06-03 and silently broke this. The only thing that needs google-auth is cloud_storage_google, whose 19.0 manifest declares it as an external dependency (18.0 didn't). It's only in the enriched seed. - Per-PR (test-migration.yml): drop google-auth — the OCA seed has no google-auth-dependent module, so this restores Odoo 18's matched crypto stack and greens the per-PR test. - Enriched (test-migration-enriched.yml): drop google-auth AND mark cloud_storage_google uninstalled post-restore so OpenUpgrade skips it (nothing depends on it; its 18->19 change needs live Google config to exercise). Both halves keep cryptography untouched. Restores both migration gates, which had been red since #103 (per-PR) and longer (enriched, on cloud_storage_google's missing dep then the crypto break).
dnplkndll
added a commit
that referenced
this pull request
Jun 11, 2026
…onflict (#106) google-auth requires cryptography>=38, which evicts Odoo's pinned cryptography==3.4.8 and desyncs the matched pyopenssl==21.0.0 / urllib3 1.26 stack (X509_V_FLAG_NOTIFY_POLICY and hazmat.backends.openssl.x509 are gone in modern cryptography) → import OpenSSL fails, base won't load, every migration run dies before a script executes. #103 added google-auth on 2026-06-03 and silently broke this. The only thing that needs google-auth is cloud_storage_google, whose 19.0 manifest declares it as an external dependency (18.0 didn't). It's only in the enriched seed. - Per-PR (test-migration.yml): drop google-auth — the OCA seed has no google-auth-dependent module, so this restores Odoo 18's matched crypto stack and greens the per-PR test. - Enriched (test-migration-enriched.yml): drop google-auth AND mark cloud_storage_google uninstalled post-restore so OpenUpgrade skips it (nothing depends on it; its 18->19 change needs live Google config to exercise). Both halves keep cryptography untouched. Restores both migration gates, which had been red since #103 (per-PR) and longer (enriched, on cloud_storage_google's missing dep then the crypto break).
dnplkndll
added a commit
that referenced
this pull request
Jun 14, 2026
…gle_gmail (#103) geoip2 already covered website; cloud_storage_google (and google_gmail) declare google-auth. google-auth's runtime deps are cachetools/pyasn1-modules/rsa — it does NOT pull cryptography, so it won't disturb the runner's pyOpenSSL. (auth_ldap's python-ldap, which needs apt build libs, is added separately if/when it's marked.)
dnplkndll
added a commit
that referenced
this pull request
Jun 14, 2026
…onflict (#106) google-auth requires cryptography>=38, which evicts Odoo's pinned cryptography==3.4.8 and desyncs the matched pyopenssl==21.0.0 / urllib3 1.26 stack (X509_V_FLAG_NOTIFY_POLICY and hazmat.backends.openssl.x509 are gone in modern cryptography) → import OpenSSL fails, base won't load, every migration run dies before a script executes. #103 added google-auth on 2026-06-03 and silently broke this. The only thing that needs google-auth is cloud_storage_google, whose 19.0 manifest declares it as an external dependency (18.0 didn't). It's only in the enriched seed. - Per-PR (test-migration.yml): drop google-auth — the OCA seed has no google-auth-dependent module, so this restores Odoo 18's matched crypto stack and greens the per-PR test. - Enriched (test-migration-enriched.yml): drop google-auth AND mark cloud_storage_google uninstalled post-restore so OpenUpgrade skips it (nothing depends on it; its 18->19 change needs live Google config to exercise). Both halves keep cryptography untouched. Restores both migration gates, which had been red since #103 (per-PR) and longer (enriched, on cloud_storage_google's missing dep then the crypto break).
dnplkndll
added a commit
that referenced
this pull request
Jun 19, 2026
…gle_gmail (#103) geoip2 already covered website; cloud_storage_google (and google_gmail) declare google-auth. google-auth's runtime deps are cachetools/pyasn1-modules/rsa — it does NOT pull cryptography, so it won't disturb the runner's pyOpenSSL. (auth_ldap's python-ldap, which needs apt build libs, is added separately if/when it's marked.)
dnplkndll
added a commit
that referenced
this pull request
Jun 19, 2026
…onflict (#106) google-auth requires cryptography>=38, which evicts Odoo's pinned cryptography==3.4.8 and desyncs the matched pyopenssl==21.0.0 / urllib3 1.26 stack (X509_V_FLAG_NOTIFY_POLICY and hazmat.backends.openssl.x509 are gone in modern cryptography) → import OpenSSL fails, base won't load, every migration run dies before a script executes. #103 added google-auth on 2026-06-03 and silently broke this. The only thing that needs google-auth is cloud_storage_google, whose 19.0 manifest declares it as an external dependency (18.0 didn't). It's only in the enriched seed. - Per-PR (test-migration.yml): drop google-auth — the OCA seed has no google-auth-dependent module, so this restores Odoo 18's matched crypto stack and greens the per-PR test. - Enriched (test-migration-enriched.yml): drop google-auth AND mark cloud_storage_google uninstalled post-restore so OpenUpgrade skips it (nothing depends on it; its 18->19 change needs live Google config to exercise). Both halves keep cryptography untouched. Restores both migration gates, which had been red since #103 (per-PR) and longer (enriched, on cloud_storage_google's missing dep then the crypto break).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
After the stock_account end-migration crash is fixed (#102), the migration reaches
cloud_storage_google, which declares thegoogle-authexternal dependency. Install it in both migration workflows.google-auth's runtime deps are cachetools/pyasn1-modules/rsa — it does not pull cryptography, so it won't disturb the runner's pre-installed pyOpenSSL (the caution in the old comment was the wrong diagnosis; the break came from upgrading pyOpenSSL, not from google-auth). The lab image already has google-auth coexisting with the working crypto stack.
Must merge to
ledoentfor the aggregate/enriched migration test to pick it up.auth_ldap's python-ldap (needs apt build libs) is a separate follow-on if it's marked.