Resolve git refs to git revisions [#1331] (#1337)

* Check that a git dependency resolves to a revision A git dependency should be resolved to a full git revision (SHA-1). When dealing with a git dependency, this is the only way to lock the dependency in-place (because revisions are immutable). * Check that a pinned git dependency resolves to a revision There are three mutually exclusive parameters that can be used to pin a git dependency: `branch`, `tag`, and `rev`. Since they all can be moving targets, they should be resolved to a full git revision (SHA-1) to ensure a proper in-place lock. This change highlights bug #1331 and currently fails. * Make sure a git reference resolves to a revision Do not lock a git dependency to a named reference but to a full git revision instead. This ensures reproducibility and security as git revisions are immutable. Fixes: #1331
python-poetry · Oct 11, 2019 · 72806dd · 72806dd
1 parent 6a99ef2
commit 72806dd
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 3 deletions.
diff --git a/poetry/puzzle/provider.py b/poetry/puzzle/provider.py
@@ -172,9 +172,6 @@ def search_for_vcs(self, dependency):  # type: (VCSDependency) -> List[Package]
             name=dependency.name,
         )
 
-        if dependency.tag or dependency.rev:
-            package.source_reference = dependency.reference
-
         for extra in dependency.extras:
             if extra in package.extras:
                 for dep in package.extras[extra]:

diff --git a/tests/puzzle/test_solver.py b/tests/puzzle/test_solver.py
@@ -928,6 +928,11 @@ def test_solver_can_resolve_git_dependencies(solver, repo, package):
         ],
     )
 
+    op = ops[1]
+
+    assert op.package.source_type == "git"
+    assert op.package.source_reference.startswith("9cf87a2")
+
 
 def test_solver_can_resolve_git_dependencies_with_extras(solver, repo, package):
     pendulum = get_package("pendulum", "2.0.3")
@@ -951,6 +956,37 @@ def test_solver_can_resolve_git_dependencies_with_extras(solver, repo, package):
     )
 
 
+@pytest.mark.parametrize(
+    "ref",
+    [{"branch": "a-branch"}, {"tag": "a-tag"}, {"rev": "9cf8"}],
+    ids=["branch", "tag", "rev"],
+)
+def test_solver_can_resolve_git_dependencies_with_ref(solver, repo, package, ref):
+    pendulum = get_package("pendulum", "2.0.3")
+    cleo = get_package("cleo", "1.0.0")
+    repo.add_package(pendulum)
+    repo.add_package(cleo)
+
+    git_config = {"git": "https://github.com/demo/demo.git"}
+    git_config.update(ref)
+    package.add_dependency("demo", git_config)
+
+    ops = solver.solve()
+
+    check_solver_result(
+        ops,
+        [
+            {"job": "install", "package": pendulum},
+            {"job": "install", "package": get_package("demo", "0.1.2")},
+        ],
+    )
+
+    op = ops[1]
+
+    assert op.package.source_type == "git"
+    assert op.package.source_reference.startswith("9cf87a2")
+
+
 def test_solver_does_not_trigger_conflict_for_python_constraint_if_python_requirement_is_compatible(
     solver, repo, package
 ):