fix: extend GraphQL alias prefix to prevent hash collisions by LuisUrrutia · Pull Request #1134 · semantic-release/github
Summary
- Fixes GraphQL alias collisions in
buildAssociatedPRsQueryby extending the commit SHA prefix from 6 to 12 characters - Resolves CI pipeline failures in repositories with many commits where SHA prefixes can collide
Fixes #1116
Problem
The buildAssociatedPRsQuery function creates GraphQL aliases using only the first 6 characters of commit SHAs:
return `commit${sha.slice(0, 6)}: object(oid: "${sha}") {
When two commits share the same 6-character prefix (e.g., 429fa60a84f7b59f... and 429fa667b462b60b...), both resolve to alias commit429fa6, causing GraphQL to reject the query:
Error: Field 'commit429fa6' has an argument conflict:
{oid:"429fa60a84f7b59f9e4a20bfbea6b0fa977a1e1e"} or {oid:"429fa667b462b60b31769e5268cfbc6835793c14"}
Collision probability increases significantly as repositories grow.
Solution
Extend the SHA prefix from 6 to 12 characters:
| Characters | Unique values | Collision risk |
|---|---|---|
| 6 | ~16.8 million | Likely in large repos |
| 7 | ~268 million | GitHub's standard short SHA |
| 12 | ~281 trillion | Practically impossible |
We chose 12 characters because:
- It provides excellent collision resistance while keeping aliases reasonably short
- It matches the patch the issue author successfully deployed in their repository: https://github.com/ongov/ontario-design-system/pull/140/files
Credits to @smorrisods
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great @LuisUrrutia.
I wouldn't have ever thought that this would ever occur!
Quick question though, Did you give this a test? 🤔
Cc @smorrisods
This looks great @LuisUrrutia.
I wouldn't have ever thought that this would ever occur!
Quick question though, Did you give this a test? 🤔
Cc @smorrisodsI also didn’t expect to run into an issue like this.
It’s hard to know how to reliably reproduce an issue like this. However, even without being able to reproduce it, the tool runs normally in a "standard" repository.
Our repository has two cases of SHA collisions at 6 char prefixes. The first collision happened after a few years, the send one happened during a heavy commit phase recently within a few weeks of each other. I was shocked myself because the SHA space is so big it seems highly unlikely to happen within the same release period, but our repo is an example.
I also noticed that @smorrisods had this issue here: https://github.com/ongov/ontario-design-system/actions/runs/19302965551/job/55202972489
but then, in the following release (after including the patch using a 12 chars SHA) it appears to have been resolved: https://github.com/ongov/ontario-design-system/actions/runs/19376674982/job/55446171969
Upon increasing the prefix character length to 12 (and I would have gone longer but I wasn't sure if there was an overall GraphQL rate limit that inspired the original truncation) everything worked as expected in our release, as @LuisUrrutia has surfaced here.
Also, I think GraphQL specification does not impose a specific character limit on aliases, so we could also use the full hash.
When I looked into the original change the 6 character prefix limit showed up out of nowhere as part of a refactoring from using the REST API to use the GraphQL API. I'm not sure why they didn't choose to go with the full SHA.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks good
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters