Skip to content

Dirty Cargo.lock file reported on package/publish even if in .gitignore #15339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
DaniPopes opened this issue Mar 21, 2025 · 2 comments · Fixed by #15341
Closed

Dirty Cargo.lock file reported on package/publish even if in .gitignore #15339

DaniPopes opened this issue Mar 21, 2025 · 2 comments · Fixed by #15341
Labels
C-bug Category: bug Command-package Command-publish S-triage Status: This issue is waiting on initial triage.

Comments

@DaniPopes
Copy link

DaniPopes commented Mar 21, 2025
edited
Loading

Problem

Cargo throws an error when trying to publish/package alloy-rs/core on nightly (cargo 1.87.0-nightly (6cf826701 2025-03-14)), while it works fine on stable (1.85).

This breaks our cargo-release workflow, and I don't really understand this error since Cargo.lock is not dirty, is in .gitignore, and also adding it to Cargo.toml package.exclude doesn't help.

Bisected to nightly-2025-03-11 -> rust-lang/rust#138200 -> probably #15276.

Steps

cd /tmp
git clone https://github.com/alloy-rs/core.git alloy-core
# git checkout 5d9b4f22a9091749e87d89058185dd8cf5a03fa2
cd ./alloy-core

args=(package --list)
# No Cargo.lock
cargo +stable "${args[@]}"  # OK
cargo +nightly "${args[@]}" # OK

# Generate Cargo.lock, but still ignored by git
cargo generate-lockfile
cargo +stable "${args[@]}"  # OK
cargo +nightly "${args[@]}" # Fails with:
error: 1 files in the working directory contain changes that were not yet committed into git:

Cargo.lock

to proceed despite this and include the uncommitted changes, pass the `--allow-dirty` flag

Possible Solution(s)

No response

Notes

No response

Version

cargo 1.87.0-nightly (6cf826701 2025-03-14)
@DaniPopes DaniPopes added C-bug Category: bug S-triage Status: This issue is waiting on initial triage. labels Mar 21, 2025
@DaniPopes DaniPopes changed the title Dirty Cargo.lock file on package/publish Dirty Cargo.lock file reported on package/publish even if in .gitignore Mar 21, 2025
@weihanglo
Copy link
Member

weihanglo commented Mar 21, 2025
edited
Loading

Thanks for the report and the reproducible steps!

since Cargo.lock is not dirty, is in .gitignore, and also adding it to Cargo.toml package.exclude doesn't help.

The lock file is not dirty in the sense of calling the plain git status I gueses? However, Cargo checking the VCS status is more like git status --ignored --untracked-files=all

And the lockfile indeed get packaged into your final .crate tarball. It is a behavior you cannot opt-out except using the new --exclude-lockfile. However there is indeed a bug that with --exclude-lockfile is present, cargo pacakge should not check whether lockfile is dirty or not.

@weihanglo
Copy link
Member

There are some nuances.
We check lockfile's VCS status if the lockfile is ouside the current package root. That means a non-workspace Cargo package will not have this VCS check. I don't think it is good that we have diverged behaviors on this. To make the behavior aligned, we have two options:

  • Don't check lockfile's VCS status at all, since we don't do that for non-workspace package.
  • Check also for non-workspace package.

The latter might be risky. People may have already excluded or gitignore'd the lockfile. Changing that means it will start breaking more workflow. Although we've talked about expanding it to checking the entire workspace, I'd rather not do that at this moment. Also, we seemed to settle on checking mainfest but didn't really discuss much about lockfile.

@weihanglo weihanglo mentioned this issue Mar 21, 2025
Merged
github-merge-queue bot pushed a commit that referenced this issue Mar 25, 2025
@epage
fix: revert the behavior checking lockfile's VCS status (#15341)
6890735 
### What does this PR try to resolve?

Fixes #15339

Lockfile might be gitignore'd,
So it never shows up in `git status`.

However, `cargo packag` vcs checks actually performs `git status
--untracked --ignored`.
It is a bit confusing that lockfile is ignored but still counts as dirty
from the report of `cargo package`.

There are some more nuances:
We check lockfile's VCS status if the lockfile is ouside the current
package root. That means a non-workspace Cargo package will not have
this VCS check. I don't think it is good that we have diverged behaviors
Hence this revert.

We can always re-evaluate later,
as we've reserved rooms for doing more dirty checks.

#14967 (comment)

### How should we test and review this PR?

See if the revert is what we want now.
Or we should do a more thorough check for both workspace and
non-workspace cases.

### Additional information

This is a revert of f0907fc from #15276
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-bug Category: bug Command-package Command-publish S-triage Status: This issue is waiting on initial triage.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: revert the behavior checking lockfile's VCS status weihanglo/cargo
3 participants
@epage @weihanglo @DaniPopes