Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(forge): pin tags/revs for deps #9522

Open
wants to merge 53 commits into
base: master
Choose a base branch
from
Open

feat(forge): pin tags/revs for deps #9522

wants to merge 53 commits into from

Conversation

yash-atreya
Copy link
Member

@yash-atreya yash-atreya commented Dec 9, 2024
edited
Loading

Motivation

Closes #7225

  • git submodule doesn't have support for pinning to tags/revisions, only branches in .gitmodules
  • This creates unintended behavior in forge when updating deps.
  • Reproduction of unintended behaviour
  1. Install oz with tag forge install OpenZeppelin/[email protected].
  2. git submodule status shows the oz dep checked out at OpenZeppelin/openzeppelin-contracts@69c8def
  3. Run forge update
  4. oz dep is now checked out at the most recent commit of the master branch instead of the commit of the tag.

Solution

Introduce a basic lockfile foundry.lock that consists of a mapping from relative lib_path to DepIdentifier. This file is committed with every forge install.

Every time forge update is run, this file is inferred to correctly check out the dep and maintain tag or rev pinning if specified.

In case we want to override a dep and set a new tag, this can be done like so: forge update owner/dep@new-tag

TODO

  • account for foundry.lock generation the first time.
  • migration tests
  • monorepo test
  • forge remove

@yash-atreya yash-atreya self-assigned this Dec 9, 2024
@yash-atreya yash-atreya marked this pull request as ready for review December 10, 2024 13:22
grandizzy
grandizzy reviewed Dec 11, 2024
View reviewed changes
Copy link
Collaborator

@grandizzy grandizzy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this makes sense overall, 2 scenarios was thinking of

  1. update deps of dependencies
  • forge init and then install specific tag forge install OpenZeppelin/openzeppelin-contracts@tag=v4.9.4. This will result in 2 deps in lib/openzeppelin-contracts/lib:
erc4626-tests
forge-std
  • forge update updates dependencies of Oz dependency, resulting in 3 deps
erc4626-tests
forge-std
halmos-cheatcodes

This probably cannot be fixed even when openzeppelin-contracts contracts will add its own forge-submodule-info.json?

  1. updating dependency to a different version
  • cd in lib/openzeppelin-contracts/ and git checkout v5.0.2
  • forge update silently checks out v4.9.4
  • in order to persist then forge-submodule-info.json should be manually edited and "lib/openzeppelin-contracts":{"Tag":"v4.9.4"} updated to "lib/openzeppelin-contracts":{"Tag":"v5.0.2"}

Maybe on forge update we should print out versions (and should follow up with docs / book update).

@yash-atreya
Copy link
Member Author

yash-atreya commented Dec 11, 2024
edited
Loading

I think this makes sense overall, 2 scenarios was thinking of

  1. update deps of dependencies
  • forge init and then install specific tag forge install OpenZeppelin/openzeppelin-contracts@tag=v4.9.4. This will result in 2 deps in lib/openzeppelin-contracts/lib:
erc4626-tests
forge-std
  • forge update updates dependencies of Oz dependency, resulting in 3 deps
erc4626-tests
forge-std
halmos-cheatcodes

This probably cannot be fixed even when openzeppelin-contracts contracts will add its own forge-submodule-info.json?

  1. updating dependency to a different version
  • cd in lib/openzeppelin-contracts/ and git checkout v5.0.2
  • forge update silently checks out v4.9.4
  • in order to persist then forge-submodule-info.json should be manually edited and "lib/openzeppelin-contracts":{"Tag":"v4.9.4"} updated to "lib/openzeppelin-contracts":{"Tag":"v5.0.2"}

Maybe on forge update we should print out versions (and should follow up with docs / book update).

(1). Yeah, this is because we run git submodule update --remote as before, and checkout to the correct tag/rev after the updates have been downloaded. EDIT: On second thought, we could remove the --remote flag for deps that specify a tag/rev, this should fix it. Now this is as good as not running update for these deps as --remote flag is only intended for modules pinned to a branch.

(2) Deps can be updated along with the values in foundry.lock like so forge update OpenZeppelin/[email protected] no need to manually checkout any lib or edit forge-submodule-info.json

@yash-atreya yash-atreya marked this pull request as draft December 11, 2024 07:47
mattsse
mattsse reviewed Jan 24, 2025
View reviewed changes
Copy link
Member

@mattsse mattsse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how does this relate to soldeer's lock file

what are the additional plans for the lockfile?

crates/forge/bin/cmd/update.rs Outdated Show resolved Hide resolved
crates/forge/bin/cmd/install.rs Outdated Show resolved Hide resolved
@zerosnacks zerosnacks mentioned this pull request Jan 28, 2025
Open
2 tasks
@yash-atreya yash-atreya mentioned this pull request Jan 29, 2025
Merged
@yash-atreya yash-atreya requested a review from mattsse January 30, 2025 12:57
@zerosnacks
Copy link
Member

zerosnacks commented Jan 30, 2025
edited
Loading

When running:

forge init counter (commit)

followed by

forge install openzeppelin/openzeppelin-contracts@tag=v4.9.4 the following error is thrown

Installing openzeppelin-contracts in /home/zerosnacks/Projects/counter/lib/openzeppelin-contracts (url: Some("https://github.com/openzeppelin/openzeppelin-contracts"), tag: Some("v4.9.4"))
Error: The target directory is a part of or on its own an already initialized git repository,
and it requires clean working and staging areas, including no untracked files.

Check the current git repository's status with `git status`.
Then, you can track files with `git add ...` and then commit them with `git commit`,
ignore them in the `.gitignore` file, or run this command again with the `--no-commit` flag.

It looks like the foundry.lock file is being written prior to .gitmodules being created which causes this issue

This also means the foundry.lock is added to the repo whilst the .gitmodules addition reverts causing issues when trying to re-run

Side note: it was never really clear to me why we are creating a commit upon adding a dependency

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DaniPopes DaniPopes Awaiting requested review from DaniPopes DaniPopes is a code owner

@klkvr klkvr Awaiting requested review from klkvr klkvr is a code owner

@grandizzy grandizzy Awaiting requested review from grandizzy grandizzy is a code owner

@zerosnacks zerosnacks Awaiting requested review from zerosnacks zerosnacks is a code owner

@mattsse mattsse Awaiting requested review from mattsse mattsse is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@yash-atreya yash-atreya

Labels
C-forge Command: forge T-feature Type: feature T-likely-breaking Type: requires changes that can be breaking
Projects
Foundry
Status: Ready For Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bug: forge does not add tag information into gitmodules file on install
4 participants
@yash-atreya @zerosnacks @mattsse @grandizzy