Skip to content

feat(gitter): tags endpoint#5181

Open
Ly-Joey wants to merge 9 commits intogoogle:masterfrom
Ly-Joey:feat-gitter-cve
Open

feat(gitter): tags endpoint#5181
Ly-Joey wants to merge 9 commits intogoogle:masterfrom
Ly-Joey:feat-gitter-cve

Conversation

@Ly-Joey
Copy link
Copy Markdown
Contributor

@Ly-Joey Ly-Joey commented Apr 2, 2026
edited
Loading

Add /tags endpoint to gitter to serve CVE conversion.
Given repo url, it returns the full list of tags (stripped of the "refs/tag/" prefix) and the associated hash.

Response Codes:
200: If repo has tags
204 (No content): If repo exists but there are no tags
404: Repo not found

Example response:

curl -s "http://localhost:8888/tags?url=https://github.com/oliverchang/osv-test.git" -H "Content-Type: application/json"
{"tags":[{"label":"branch-v0.1.1-with-fix","hash":"ubP9RzJpW4PDBot7ahS7Ny7DH5g="},{"label":"branch_1_cherrypick_regress","hash":"/r+sGUAIa8H209wz/aCh0bozYgk="},{"label":"v0.1","hash":"orqUkpCRXURdNNDo6d4ufOOBmPw="},{"label":"v0.1.1","hash":"sclaGW8i0G/PgN+MZpHNET2P7/8="},{"label":"v0.2","hash":"jYJC9UXpzsPm0NLj9b3ovhxllzU="},{"label":"branch-v0.1.1","hash":"TBVXlUJnJ+oFV1vVkEMh3vI8A/Q="}]}

Note on annotated vs lightweight tags:

When tags are annotated (git tag -a), git will create a separate tag object to contain metadata (tagger, date, etc) with its own hash.
This results in annotated tags effectively resolving to two objects when we do ls-remote or show-ref

  • ref/tags/tag-name: the tag object
  • ref/tags/tag-name^{}: the peeled commit hash the tag is actually pointing to

Take https://github.com/ossf/scorecard as an example, gitter's response will contain:

{ "label": "v5.4.0", "hash": "FULSTmQUBv/amP3sUMXuB9JHJiY=" } <- Don't use this
{ "label": "v5.4.0^{}", "hash": "gO4+z+34sZq4mRcTqf2y59zXJi4=" } <- Use this

When it's a lightweight tag, the resolved hash is the commit.

TODO for this PR:

  • Find a way to test the ls-remote code path locally.
  • And more tests in general

Some possible improvements I can think of (to be discussed):

  • Populate repository struct with show-ref / ls-remote output
    • This requires some changes to the existing loadRepository function. I also want the separate PR to do some small refactoring (e.g. putting repo struct behind locks)
  • Possibly spin up a background process to pre-load the repo if it is valid

This description might look AI generated, but I actually wrote it myself!

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 2, 2026
View reviewed changes
@Ly-Joey Ly-Joey requested a review from jess-lowe April 8, 2026 21:04
@Ly-Joey Ly-Joey marked this pull request as ready for review April 10, 2026 05:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jess-lowe jess-lowe Awaiting requested review from jess-lowe

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Ly-Joey @github-advanced-security