[CI] test-migration: resolve google-auth / cloud_storage_google conflict (restore both migration gates)#106
Merged
Conversation
dnplkndll
force-pushed
the
19.0-fix-ci-cryptography-pin
branch
from
f729e23 to
8ca3a0a
Compare
dnplkndll
changed the title
dnplkndll
force-pushed
the
19.0-fix-ci-cryptography-pin
branch
from
8ca3a0a to
4fb6da9
Compare
dnplkndll
changed the title
…onflict google-auth requires cryptography>=38, which evicts Odoo's pinned cryptography==3.4.8 and desyncs the matched pyopenssl==21.0.0 / urllib3 1.26 stack (X509_V_FLAG_NOTIFY_POLICY and hazmat.backends.openssl.x509 are gone in modern cryptography) → import OpenSSL fails, base won't load, every migration run dies before a script executes. #103 added google-auth on 2026-06-03 and silently broke this. The only thing that needs google-auth is cloud_storage_google, whose 19.0 manifest declares it as an external dependency (18.0 didn't). It's only in the enriched seed. - Per-PR (test-migration.yml): drop google-auth — the OCA seed has no google-auth-dependent module, so this restores Odoo 18's matched crypto stack and greens the per-PR test. - Enriched (test-migration-enriched.yml): drop google-auth AND mark cloud_storage_google uninstalled post-restore so OpenUpgrade skips it (nothing depends on it; its 18->19 change needs live Google config to exercise). Both halves keep cryptography untouched. Restores both migration gates, which had been red since #103 (per-PR) and longer (enriched, on cloud_storage_google's missing dep then the crypto break).
dnplkndll
changed the title
dnplkndll
force-pushed
the
19.0-fix-ci-cryptography-pin
branch
from
4fb6da9 to
c78b97a
Compare
dnplkndll
added a commit
that referenced
this pull request
Jun 11, 2026
…odel event.stage isn't in the registry during event's pre-migration (KeyError caught by the enriched gate's first post-#106 run); resolve the stage ids from ir_model_data and delete the remapped stage + its imd row in SQL.
dnplkndll
added a commit
that referenced
this pull request
Jun 12, 2026
… PG lock limit (#109) - the OCA 18.0 seed also carries cloud_storage_google: button_upgrade refuses on the missing google-auth external dep (same class #106 fixed for the enriched seed). - the enriched migration now runs to completion and dies only in the final _process_end unlink sweep: out of shared memory at the default max_locks_per_transaction=64; raise to 1024 and restart the service.
dnplkndll
added a commit
that referenced
this pull request
Jun 14, 2026
…odel event.stage isn't in the registry during event's pre-migration (KeyError caught by the enriched gate's first post-#106 run); resolve the stage ids from ir_model_data and delete the remapped stage + its imd row in SQL.
dnplkndll
added a commit
that referenced
this pull request
Jun 14, 2026
…onflict (#106) google-auth requires cryptography>=38, which evicts Odoo's pinned cryptography==3.4.8 and desyncs the matched pyopenssl==21.0.0 / urllib3 1.26 stack (X509_V_FLAG_NOTIFY_POLICY and hazmat.backends.openssl.x509 are gone in modern cryptography) → import OpenSSL fails, base won't load, every migration run dies before a script executes. #103 added google-auth on 2026-06-03 and silently broke this. The only thing that needs google-auth is cloud_storage_google, whose 19.0 manifest declares it as an external dependency (18.0 didn't). It's only in the enriched seed. - Per-PR (test-migration.yml): drop google-auth — the OCA seed has no google-auth-dependent module, so this restores Odoo 18's matched crypto stack and greens the per-PR test. - Enriched (test-migration-enriched.yml): drop google-auth AND mark cloud_storage_google uninstalled post-restore so OpenUpgrade skips it (nothing depends on it; its 18->19 change needs live Google config to exercise). Both halves keep cryptography untouched. Restores both migration gates, which had been red since #103 (per-PR) and longer (enriched, on cloud_storage_google's missing dep then the crypto break).
dnplkndll
added a commit
that referenced
this pull request
Jun 14, 2026
… PG lock limit (#109) - the OCA 18.0 seed also carries cloud_storage_google: button_upgrade refuses on the missing google-auth external dep (same class #106 fixed for the enriched seed). - the enriched migration now runs to completion and dies only in the final _process_end unlink sweep: out of shared memory at the default max_locks_per_transaction=64; raise to 1024 and restart the service.
dnplkndll
added a commit
that referenced
this pull request
Jun 16, 2026
…odel event.stage isn't in the registry during event's pre-migration (KeyError caught by the enriched gate's first post-#106 run); resolve the stage ids from ir_model_data and delete the remapped stage + its imd row in SQL.
dnplkndll
added a commit
that referenced
this pull request
Jun 17, 2026
…odel event.stage isn't in the registry during event's pre-migration (KeyError caught by the enriched gate's first post-#106 run); resolve the stage ids from ir_model_data and delete the remapped stage + its imd row in SQL.
dnplkndll
added a commit
that referenced
this pull request
Jun 19, 2026
…odel event.stage isn't in the registry during event's pre-migration (KeyError caught by the enriched gate's first post-#106 run); resolve the stage ids from ir_model_data and delete the remapped stage + its imd row in SQL.
dnplkndll
added a commit
that referenced
this pull request
Jun 19, 2026
…onflict (#106) google-auth requires cryptography>=38, which evicts Odoo's pinned cryptography==3.4.8 and desyncs the matched pyopenssl==21.0.0 / urllib3 1.26 stack (X509_V_FLAG_NOTIFY_POLICY and hazmat.backends.openssl.x509 are gone in modern cryptography) → import OpenSSL fails, base won't load, every migration run dies before a script executes. #103 added google-auth on 2026-06-03 and silently broke this. The only thing that needs google-auth is cloud_storage_google, whose 19.0 manifest declares it as an external dependency (18.0 didn't). It's only in the enriched seed. - Per-PR (test-migration.yml): drop google-auth — the OCA seed has no google-auth-dependent module, so this restores Odoo 18's matched crypto stack and greens the per-PR test. - Enriched (test-migration-enriched.yml): drop google-auth AND mark cloud_storage_google uninstalled post-restore so OpenUpgrade skips it (nothing depends on it; its 18->19 change needs live Google config to exercise). Both halves keep cryptography untouched. Restores both migration gates, which had been red since #103 (per-PR) and longer (enriched, on cloud_storage_google's missing dep then the crypto break).
dnplkndll
added a commit
that referenced
this pull request
Jun 19, 2026
… PG lock limit (#109) - the OCA 18.0 seed also carries cloud_storage_google: button_upgrade refuses on the missing google-auth external dep (same class #106 fixed for the enriched seed). - the enriched migration now runs to completion and dies only in the final _process_end unlink sweep: out of shared memory at the default max_locks_per_transaction=64; raise to 1024 and restart the service.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The break
Since #103 added
google-auth(2026-06-03), every migrationtestdies before any script runs:Root cause (catch-22)
google-authhard-requirescryptography>=38. Installing it evicts Odoo's pinnedcryptography==3.4.8→ cryptography 48, desyncing the matched pyopenssl 21.0.0 / urllib3 1.26 stack (pyopenssl 21 needsX509_V_FLAG_NOTIFY_POLICY; urllib3 1.26'scontrib.pyopensslneedshazmat.backends.openssl.x509— both removed in modern cryptography).import OpenSSLfails →basewon't load.cloud_storage_googlehard-requires it (pre-[CI] test-migration: install google-auth for cloud_storage_google/google_gmail #103 the enriched run failed withMissingDependency: google-auth). So we're stuck: cloud_storage_google needs google-auth; google-auth's cryptography breaks Odoo 18.Fix
Drop google-auth (revert to
pip install geoip2), restoring Odoo 18's matched crypto stack so base loads. The per-PR OCA seed has no google-auth-dependent module, so this greens the per-PRtest(and #105).Follow-up (separate)
The enriched seed's
cloud_storage_google/google_gmailstill need google-auth installed against a cryptography compatible with Odoo 18's urllib3/pyopenssl — a runner-fragile version triple (cryptography 41.x + pyopenssl 24 + cffi<2), or drop those modules from the enriched seed. The enriched gate has in fact been red this whole window (cloud_storage_google, then crypto); restoring it is its own task and shouldn't block the per-PR migration test.