Git audits should check against `merge-base` not `HEAD`

[fxcoudert]

brew doctor output

N/A

Verification

• I ran brew update twice and am still able to reproduce my issue.
• My "brew doctor output" above says Your system is ready to brew or a definitely unrelated Tier message.
• This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

brew config output

HOMEBREW_VERSION: 5.1.1-135-g3a660bd
ORIGIN: https://github.com/Homebrew/brew
HEAD: 3a660bd8293e54bf3c3d7fd990daab46f646f400
Last commit: 60 minutes ago
Branch: main
Core tap HEAD: 5f92f9732ddcb69154047a99df4b9ead2ea25b3b
Core tap last commit: 7 hours ago
Core tap JSON: 28 Mar 04:26 UTC
HOMEBREW_PREFIX: /home/linuxbrew/.linuxbrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_COLOR: set
HOMEBREW_CURL_PATH: /usr/bin/curl
HOMEBREW_DEVELOPER: set
HOMEBREW_DOWNLOAD_CONCURRENCY: 8
HOMEBREW_FAIL_LOG_LINES: 150
HOMEBREW_GITHUB_API_TOKEN: set
HOMEBREW_GIT_EMAIL: 1589480+BrewTestBot@users.noreply.github.com
HOMEBREW_GIT_NAME: BrewTestBot
HOMEBREW_GIT_PATH: /usr/bin/git
HOMEBREW_LOGS: /__w/homebrew-core/homebrew-core/logs
HOMEBREW_MAKE_JOBS: 4
HOMEBREW_NO_AUTO_UPDATE: set
HOMEBREW_NO_COLOR: set
HOMEBREW_NO_EMOJI: set
HOMEBREW_NO_ENV_HINTS: set
HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK: set
HOMEBREW_NO_INSTALL_FROM_API: set
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 4.0.2 => /home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/vendor/portable-ruby/4.0.2/bin/ruby
CPU: quad-core 64-bit icelake
Clang: N/A
Git: 2.53.0 => /usr/bin/git
Curl: 7.81.0 => /usr/bin/curl
Kernel: Linux 6.17.0-1008-azure x86_64 GNU/Linux
OS: Ubuntu 22.04.5 LTS
Host glibc: 2.35
Host libstdc++: 6.0.30
/usr/bin/gcc-12: 12.3.0
/usr/bin/ruby: N/A
glibc: N/A
gcc@12: N/A
gcc: N/A
xorg: N/A

Description of the issue

Let's consider this CI run: https://github.com/Homebrew/homebrew-core/actions/runs/23668481251/job/68983090369

• gallery-dl had a python resource updated, and its revision bumped
• audit complained: ``revisionincreased but recursive dependencies must increasecompatibility_version` by 1: deno (1 to 2).`

The reason to bump revision of gallery-dl is legitimate, and not linked at all to deno. The audit is wrong. We do not actually want to bump the deno compatibility_version because deno has not changed at all.

[fxcoudert]

Also, in a subsequent commit, a contributor tried to work around the issue by bumping deno's compatibility_version. Then CI passed, while it should have failed by pointing out that other deno's dependents were not bumped, which is the whole point of compatibility_version. Whether this is considered a separate bug or not, I don't know.

[carlocab]

Yea, I think the issue is because the compatibility_version audit compares the PR against HEAD, when it should be comparing the PR against the merge base with HEAD. Comparing against HEAD introduces contemporary changes which confuses the audit. Indeed, you'll see that rebasing the PR tends to make these kinds of false-positives go away, which it did for gallery-dl: Homebrew/homebrew-core#274498

[carlocab]

This is because the audit compares the PR to HEAD, when it should be comparing the PR to its merge base with HEAD.

Comparing with HEAD introduces many extraneous changes that confuses the audit. This is why rebasing tends to make it go away, as it did in Homebrew/homebrew-core#274498.

(Apologies if this is a duplicate comment; GitHub seems to be glitching out for me.)

[MikeMcQuaid]

This is because the audit compares the PR to HEAD, when it should be comparing the PR to its merge base with HEAD.

Yup, this is the bug to be fixed. Note that compatibility_version is not the only case where we make these comparisons inside brew audit so a more general fix is sensible here.