Skip to content

feat(dependencies): support pinning of tags / revs when using .gitmodules with foundry.lock #9522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 74 commits into
base: master
Choose a base branch
from
Open

feat(dependencies): support pinning of tags / revs when using .gitmodules with foundry.lock #9522

wants to merge 74 commits into from

Conversation

yash-atreya
Copy link
Member

@yash-atreya yash-atreya commented Dec 9, 2024
edited
Loading

Motivation

Closes #7225

  • git submodule doesn't have support for pinning to tags/revisions, only branches in .gitmodules
  • This creates unintended behavior in forge when updating deps.
  • Reproduction of unintended behaviour
  1. Install oz with tag forge install OpenZeppelin/[email protected].
  2. git submodule status shows the oz dep checked out at OpenZeppelin/openzeppelin-contracts@69c8def
  3. Run forge update
  4. oz dep is now checked out at the most recent commit of the master branch instead of the commit of the tag.

Solution

Introduce a basic lockfile foundry.lock that consists of a mapping from relative lib_path to DepIdentifier.

Every time forge update is run, this file is inferred to correctly check out the dep and maintain tag or rev pinning if specified.

In case we want to override a dep and set a new tag, this can be done like so: forge update owner/dep@new-tag

TODO

  • account for foundry.lock generation the first time.
  • migration tests
  • monorepo test
  • forge remove

@yash-atreya yash-atreya self-assigned this Dec 9, 2024
@yash-atreya yash-atreya marked this pull request as ready for review December 10, 2024 13:22
grandizzy
grandizzy reviewed Dec 11, 2024
View reviewed changes
Copy link
Collaborator

@grandizzy grandizzy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this makes sense overall, 2 scenarios was thinking of

  1. update deps of dependencies
  • forge init and then install specific tag forge install OpenZeppelin/openzeppelin-contracts@tag=v4.9.4. This will result in 2 deps in lib/openzeppelin-contracts/lib:
erc4626-tests
forge-std
  • forge update updates dependencies of Oz dependency, resulting in 3 deps
erc4626-tests
forge-std
halmos-cheatcodes

This probably cannot be fixed even when openzeppelin-contracts contracts will add its own forge-submodule-info.json?

  1. updating dependency to a different version
  • cd in lib/openzeppelin-contracts/ and git checkout v5.0.2
  • forge update silently checks out v4.9.4
  • in order to persist then forge-submodule-info.json should be manually edited and "lib/openzeppelin-contracts":{"Tag":"v4.9.4"} updated to "lib/openzeppelin-contracts":{"Tag":"v5.0.2"}

Maybe on forge update we should print out versions (and should follow up with docs / book update).

@yash-atreya
Copy link
Member Author

yash-atreya commented Dec 11, 2024
edited
Loading

I think this makes sense overall, 2 scenarios was thinking of

  1. update deps of dependencies
  • forge init and then install specific tag forge install OpenZeppelin/openzeppelin-contracts@tag=v4.9.4. This will result in 2 deps in lib/openzeppelin-contracts/lib:
erc4626-tests
forge-std
  • forge update updates dependencies of Oz dependency, resulting in 3 deps
erc4626-tests
forge-std
halmos-cheatcodes

This probably cannot be fixed even when openzeppelin-contracts contracts will add its own forge-submodule-info.json?

  1. updating dependency to a different version
  • cd in lib/openzeppelin-contracts/ and git checkout v5.0.2
  • forge update silently checks out v4.9.4
  • in order to persist then forge-submodule-info.json should be manually edited and "lib/openzeppelin-contracts":{"Tag":"v4.9.4"} updated to "lib/openzeppelin-contracts":{"Tag":"v5.0.2"}

Maybe on forge update we should print out versions (and should follow up with docs / book update).

(1). Yeah, this is because we run git submodule update --remote as before, and checkout to the correct tag/rev after the updates have been downloaded. EDIT: On second thought, we could remove the --remote flag for deps that specify a tag/rev, this should fix it. Now this is as good as not running update for these deps as --remote flag is only intended for modules pinned to a branch.

(2) Deps can be updated along with the values in foundry.lock like so forge update OpenZeppelin/[email protected] no need to manually checkout any lib or edit forge-submodule-info.json

@yash-atreya yash-atreya marked this pull request as draft December 11, 2024 07:47
zerosnacks
zerosnacks reviewed Dec 11, 2024
View reviewed changes
@zerosnacks zerosnacks self-requested a review February 28, 2025 14:51
zerosnacks
zerosnacks reviewed Feb 28, 2025
View reviewed changes
Copy link
Member

@zerosnacks zerosnacks left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor nits, implementation and tests I performed all look good

Updated the title

@zerosnacks zerosnacks changed the title feat(dependencies): support pinning of tags / revs with .gitmodules feat(dependencies): support pinning of tags / revs when using .gitmodules using foundry.lock Feb 28, 2025
@zerosnacks zerosnacks changed the title feat(dependencies): support pinning of tags / revs when using .gitmodules using foundry.lock feat(dependencies): support pinning of tags / revs when using .gitmodules with foundry.lock Feb 28, 2025
@yash-atreya yash-atreya mentioned this pull request Apr 8, 2025
Merged
@yash-atreya
Copy link
Member Author

Would be great if this PR was accompanied by an update to the book to document the forge update owner/dep@new-tag behavior as it will be a common question

@grandizzy @zerosnacks

Related book PR: foundry-rs/book#1494

@zerosnacks zerosnacks self-requested a review April 8, 2025 15:21
grandizzy
grandizzy reviewed Apr 10, 2025
View reviewed changes
Copy link
Collaborator

@grandizzy grandizzy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left some preliminary comments, could be I am missing some context so looking more into. thanks!

crates/forge/src/lockfile.rs Outdated
}

// Find out if rev has a tag associated with it.
let maybe_tag =
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this a safe assumption? git.tag_for_commit returns the first tag the commit was included, but that doesn't necessarily mean that tag was done at specified rev? e.g. if abc1234 rev included in v0.1.0 but v0.1.0 tagged at subsequent rev xyz1234 wouldn't then the identified tag point to xyz1234 rev? (and wrongly add dep as DepIdentifier::Tag instead DepIdentifier::Rev)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this has always been an unsafe assumption. Initially, I started with getting the latest tag for a commit, which is not right, and it can pull a bunch of changes from the lib that the user did not intend.

Defered to getting the earliest tag for a commit, so that the changes (if any) pulled are minimal.

But it is surely a footgun, resolved this by always pinning to a rev in 98223b0

@jenpaff jenpaff modified the milestones: v1.1.0, v1.2.0 Apr 15, 2025
@grandizzy grandizzy self-requested a review April 22, 2025 12:19
grandizzy
grandizzy previously approved these changes Apr 28, 2025
View reviewed changes
Copy link
Collaborator

@grandizzy grandizzy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. @zerosnacks do you want to have another look since things changed?

@jenpaff jenpaff modified the milestones: v1.2.0, v1.3.0 May 5, 2025
@zerosnacks zerosnacks mentioned this pull request May 26, 2025
Open
2 tasks
@yash-atreya
Copy link
Member Author

@zerosnacks conflicts resolved, rfr

@zerosnacks zerosnacks requested a review from grandizzy May 28, 2025 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@klkvr klkvr Awaiting requested review from klkvr klkvr is a code owner

@mattsse mattsse Awaiting requested review from mattsse mattsse is a code owner

@DaniPopes DaniPopes Awaiting requested review from DaniPopes DaniPopes is a code owner

@zerosnacks zerosnacks Awaiting requested review from zerosnacks zerosnacks is a code owner

@grandizzy grandizzy Awaiting requested review from grandizzy grandizzy is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@yash-atreya yash-atreya

Labels
C-forge Command: forge T-feature Type: feature T-likely-breaking Type: requires changes that can be breaking
Projects
Foundry
Status: Ready For Review
Milestone
v1.3.0
Development

Successfully merging this pull request may close these issues.

Bug: forge does not add tag information into gitmodules file on install
6 participants
@yash-atreya @zerosnacks @mattsse @grandizzy @DaniPopes @jenpaff