Increase and enforce GitHub API release fetching quotas

[HonkingGoose]

Describe the bug

I don't see a changelog after clicking on a legacy style URL to Octoclairvoyant.

Give the steps to reproduce

1. Click on this link https://octoclairvoyant.vercel.app/comparator?repo=renovatebot%2Frenovate&to=24.22.3&from=23.95.0
2. No changelog

What browsers are you seeing the problem on?

Bug is not about browser

Have you thought of a possible solution?

No

If you have thought of a solution, please tell us about it!

No response

Do you want to help fix the bug?

No

Is there anything else we need to know?

Maybe the version range is too big, and Octoclairvoyant craches or exceeds some GitHub API limit?

Or old style link not properly converted to new comparator slug?

I got the link from @Belco90 themselves, so I assume the link was good at the time it was posted. 😉

Source of link: renovatebot/renovate#8177 (comment)

[Belco90]

This is an interesting bug, let me explain what's happening.

Since most of the repos I tend to check when I built the web app had just a bunch of releases, I'm doing max of 10 requests, with 100 releases per request, which gives us a total of 1,000 releases. You can see the code for this behavior here: https://github.com/octoclairvoyant/octoclairvoyant-webapp/blob/main/src/queries/release.tsx

However, Renobate bot has thousands of releases! So basically what's happening is that the desired From release is out of the first 1,000 releases at this point. You can see this by scrolling to the very bottom of the releases select:

So we need to update the login within that query so it keeps asking for more releases if after those 10 iterations both of them are not available yet.

[HonkingGoose]

Thanks you for the explanation. So the problem is with the GitHub requests limit, not with the URL. 😄

What if users spam our site with queries like from 1.0.0 to 31.84.1 in order to fetch 5000+ releases, plus heavy computation load to cobble it all together? At some point we should ask our users to use their own GitHub API quota instead of ours. 😉

We should test that:

• The bug is fixed
• We enforce reasonable API limits for "free queries"
• Show modal once user reaches limits, or does one very large query

What do you think?

[Belco90]

What if users spam our site with queries like from 1.0.0 to 31.84.1 in order to fetch 5000+ releases, plus heavy computation load to cobble it all together?

• In terms of computation, the browser would suffer a bit since this is done in the client for now. This should be improved by Process releases in the server #691 since the computation would be done in the server.
• In terms of requests, we already have an issue with unauthenticated users (which limit is 60 requests per hour IIRC). For authenticated I believe it's 5k per hour, so it shouldn't be an issue. Let's say someone wants to compare the whole Renovate releases range, which right now is ~5500 releases. This would imply doing 550 requests: still far from the limit per hour.

At some point we should ask our users to use their own GitHub API quota instead of ours. 😉

• We should ask the users to authenticate with GitHub indeed, that will happen in Only show auth box/modal after exceeding quota #145
• If they don't authenticate themselves, they are not using our quota but unauthenticated quota, which is way lower. So when we get the "quota limit reached modal" in place, users would be encouraged to authenticate with GitHub

We should test that:

• The bug is fixed
• We enforce reasonable API limits for "free queries"
• Show modal once user reaches limits, or does one very large query

• That can be addressed in this ticket just by doing more requests if the from and to versions are not available yet
• That will be addressed in Process releases in the server #691
• It would be nice to show the auth with GitHub modal if they want to do a huge query, but we don't know how many releases are between from and to selected. I'd just rely on the auth modal when is done.

[Belco90]

I'm working on fixing this issue, and I discovered something else:

If you didn't authorize GitHub (i.e. unauth user) then GitHub doesn't allow us to fetch more than 1k releases. I got the issue fixed, but I'm getting this error when trying to fetch page 11: HTTP 422 "Only the first 1000 results are available.". We will have to show a new error for this specific case.

For auth users is working fine, but it needs to fetch more than 50 pages in order to show the changelog for the case mentioned in this issue!

[HonkingGoose]

If you didn't authorize GitHub (i.e. unauth user) then GitHub doesn't allow us to fetch more than 1k releases. I got the issue fixed, but I'm getting this error when trying to fetch page 11: HTTP 422 "Only the first 1000 results are available.". We will have to show a new error for this specific case.

Do you want a new issue to track the new error, or will you fix this in PR #767 as well?

[Belco90]

I'll try to address it here, at least with some temporary notification, then we can create a different issue to handle errors properly (together with the login modal). What do you think?

[HonkingGoose]

Sounds good to me! We should show the error to the user, we can make it look pretty later. 😉