-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(forge
): pin tags/revs for deps
#9522
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this makes sense overall, 2 scenarios was thinking of
- update deps of dependencies
forge init
and then install specific tagforge install OpenZeppelin/openzeppelin-contracts@tag=v4.9.4
. This will result in 2 deps inlib/openzeppelin-contracts/lib
:
erc4626-tests
forge-std
forge update
updates dependencies of Oz dependency, resulting in 3 deps
erc4626-tests
forge-std
halmos-cheatcodes
This probably cannot be fixed even when openzeppelin-contracts
contracts will add its own forge-submodule-info.json
?
- updating dependency to a different version
- cd in
lib/openzeppelin-contracts/
andgit checkout v5.0.2
forge update
silently checks outv4.9.4
- in order to persist then
forge-submodule-info.json
should be manually edited and"lib/openzeppelin-contracts":{"Tag":"v4.9.4"}
updated to"lib/openzeppelin-contracts":{"Tag":"v5.0.2"}
Maybe on forge update
we should print out versions (and should follow up with docs / book update).
(1). Yeah, this is because we run (2) Deps can be updated along with the values in |
forge
): pin tags/revs for depsforge
): pin tags/revs for deps
forge
): pin tags/revs for depsforge
): pin tags/revs for deps
forge
): pin tags/revs for depsforge
): pin tags/revs for deps
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how does this relate to soldeer's lock file
what are the additional plans for the lockfile?
}) | ||
.collect::<Vec<_>>(); | ||
|
||
match (paths.is_empty(), paths_to_avoid.is_empty()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is a bit hard to read imo
pub fn read_or_generate_foundry_lock( | ||
path: &Path, | ||
git: Option<&Git<'_>>, | ||
) -> Result<(HashMap<PathBuf, TagType>, bool)> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this return type isn't great.
if we consider implementting something like a lockfile, then there should be a dedicated for that, because rn it seems we have lockfile logic in the command, and I feel we'd need to refactor this again in the future
Motivation
Closes #7225
git submodule
doesn't have support for pinning to tags/revisions, onlybranches
in.gitmodules
forge
when updating deps.forge install OpenZeppelin/[email protected]
.git submodule status
shows the oz dep checked out at OpenZeppelin/openzeppelin-contracts@69c8defforge update
Solution
Introduce a basic lockfile
foundry.lock
that consists of a mapping from relativelib_path
toTagType
. This file is committed with everyforge install
.Every time
forge update
is run, this file is inferred to correctly check out the dep and maintaintag
orrev
pinning if specified.In case we want to override a dep and set a new tag, this can be done like so:
forge update owner/dep@new-tag
TODO
foundry.lock
generation the first time.