Dependency conflict: go.opentelemetry.io version incompatibility with gitlab-runner

Summary

A dependency conflict prevents upgrading gitlab-runner to use step-runner@v0.25.0. The issue stems from incompatible versions of go.opentelemetry.io/otel/sdk.

Problem

When attempting to upgrade step-runner in gitlab-runner:

gitlab-runner % go get gitlab.com/gitlab-org/step-runner@v0.25.0
go: upgraded github.com/spf13/cobra v1.9.1 => v1.10.2
go: upgraded gitlab.com/gitlab-org/step-runner v0.24.0 => v0.25.0

gitlab-runner % go mod tidy
go: finding module for package go.opentelemetry.io/otel/sdk/internal/internaltest
go: gitlab.com/gitlab-org/gitlab-runner/functions/script_legacy imports
	gitlab.com/gitlab-org/step-runner/pkg/runner tested by
	gitlab.com/gitlab-org/step-runner/pkg/runner.test imports
	gitlab.com/gitlab-org/step-runner/pkg/testutil/bldr imports
	github.com/distribution/distribution/v3/registry imports
	github.com/distribution/distribution/v3/tracing imports
	go.opentelemetry.io/contrib/exporters/autoexport imports
	go.opentelemetry.io/otel/sdk/log tested by
	go.opentelemetry.io/otel/sdk/log.test imports
	go.opentelemetry.io/otel/sdk/internal/internaltest: module go.opentelemetry.io/otel/sdk@latest found (v1.39.0), but does not contain package go.opentelemetry.io/otel/sdk/internal/internaltest

Root Cause

  • gitlab-runner requires go.opentelemetry.io/otel/sdk v1.39.0
  • step-runner uses github.com/distribution/distribution/v3 v3.0.0 for starting an OCI registry server in tests (via pkg/testutil/bldr)
  • distribution/v3 has an internal dependency on go.opentelemetry.io v1.32.0
  • The go.opentelemetry.io/otel/sdk library made a non-backwards compatible change between v1.32.0 and v1.39.0, removing or relocating the internal/internaltest package

Impact

This blocks merging step-runner v0.25.0 into gitlab-runner.

Potential Solutions

  1. Upgrade github.com/distribution/distribution/v3 to a newer version that supports go.opentelemetry.io/otel/sdk v1.39.0 (if available)
  2. Find an alternative to distribution/v3 for the OCI registry test server
  3. Isolate the test dependency so it doesn't leak into consumers of step-runner
  4. Wait for upstream fix in distribution/v3 to update their OpenTelemetry dependency