Skip to content

Override Cargo.lock checksums when doing a dry-run publish #15711

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 30, 2025
Merged

Override Cargo.lock checksums when doing a dry-run publish #15711

merged 2 commits into from
Jun 30, 2025
+199 −4

Conversation

jneem
Copy link
Contributor

@jneem jneem commented Jun 27, 2025

Fixes #15647.

When dry-run publishing workspace without bumping versions first, the package-verification step would fail because it would see checksum mismatches between the old lock file (that saw index deps) and the new lock file where those index deps got replaced by local packages with the same version.

In this PR, the packaging step modifies the old lock file's checksums before re-resolving, but only in dry-run mode.

@rustbot
Copy link
Collaborator

rustbot commented Jun 27, 2025

r? @ehuss

rustbot has assigned @ehuss.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added A-cli Area: Command-line interface, option parsing, etc. A-dependency-resolution Area: dependency resolution and the resolver A-interacts-with-crates.io Area: interaction with registries Command-package Command-publish S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Jun 27, 2025
@epage epage changed the title Adds a dry-run packaging mode that fiddles with checksums Override Cargo.lock checksums when doing a dry-run publish Jun 27, 2025
@epage epage mentioned this pull request Jun 27, 2025
Merged
@epage
Copy link
Contributor

epage commented Jun 27, 2025

Thanks for taking care of this!

@ehuss
Copy link
Contributor

ehuss commented Jun 28, 2025

@epage Just checking, it looks like this was approved, but not added to merge queue. Just checking whether that was intentional?

@epage epage added this pull request to the merge queue Jun 30, 2025
@epage
Copy link
Contributor

epage commented Jun 30, 2025

Weird, thanks for noticing!

@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jun 30, 2025
@epage epage added this pull request to the merge queue Jun 30, 2025
Merged via the queue into rust-lang:master with commit f013ef5 Jun 30, 2025
24 checks passed
github-merge-queue bot pushed a commit that referenced this pull request Jul 7, 2025
@weihanglo
feat(publish): Stabilize multi-package publishing (#15636)
0322bdd 
### What does this PR try to resolve?

A user will now be able to use flags like `--workspace` with `cargo
publish`.
`cargo package` will now also work with those flags without having to
pass `--no-verify --exclude-lockfile`.

Many release tools have come out that solve this problem. They will
still need a lot of the logic that went into that for other parts of the
release process.
However, a cargo-native solution allows for:
- Verification during dry-run
- Better strategies for waiting for the publish timeout

`cargo publish` is non-atomic at this time.
If there is a server side error, network error, or rate limit during the
publish, the workspace will be left in a partially published state.
Verification is done before any publishing so that won't affect things.
There are multiple strategies we can employ for improving this over
time, including
- atomic publish
- `--idempotent` (#13397)
- leave this to release tools to manage

This includes support for `--dry-run` verification. As release tools
didn't have a way to do this before, users may be surprised at how slow
this is because a `cargo build` is done instead of a `cargo check`. This
is being tracked in #14941.

This adds to `cargo package` the `--registry` and `--index` flags to
help with resolving dependencies when depending on a package being
packaged at that moment.
These flags are only needed when a `cargo package --workspace` operation
would have failed before due to inability to find a locally created
dependency.

Regarding the publish timeout, `cargo publish --workspace` publishes
packages in batches and we only timeout if nothing in the batch has
finished being published within the timeout, deferring the rest to the
next wait-for-publish. So for example, if you have packages `a`, `b`,
`c` then we'll wait up to 60 seconds and if only `a` and `b` were ready
in that time, we'll then wait another 60 seconds for `c`.

During testing, users ran into issues with `.crate` checksums:
- ~~#15647~~ Fixed for `cargo publish --dry-run` in #15711
  - But `cargo package` still has the problem
- #14396 (not been able to reproduce)
- #15622 (reproducible with consecutive `cargo publish` calls)

Fixes #1169
Fixes #10948

### How to test and review this PR?

By stabilizing this, Cargo's behavior becomes dependent on an overlay
registry.
When generating a lockfile or verifying a package, we overlay the
locally generated `.crate` files on top of the registry so the registry
appears as it would and everything works.
If there is a conflict with a version, the local version wins which is
important for the dry-run mode of release tools as they won't have
bumped the version yet.
Our concern for the overlay registry is dependency confusion attacks.
Considering this is not accessible for general user operations, this
should be fine.
@weihanglo weihanglo mentioned this pull request Jul 11, 2025
Merged
bors added a commit to rust-lang/rust that referenced this pull request Jul 12, 2025
@bors
Auto merge of #143809 - weihanglo:update-cargo, r=weihanglo
9535fee 
Update cargo

14 commits in 930b4f62cfcd1f0eabdb30a56d91bf6844b739bf..eabb4cd923deb73e714f7ad3f5234d68ca284dbe
2025-06-28 14:58:43 +0000 to 2025-07-09 22:07:55 +0000
- feat: Implementation and tests for `multiple-build-scripts` (rust-lang/cargo#15704)
- perf: Speed up TOML parsing by upgrading toml (rust-lang/cargo#15736)
- Mark cachelock tests that rely on interprocess blocking behaviour as unsupported on AIX. (rust-lang/cargo#15734)
- feat(publish): Stabilize multi-package publishing (rust-lang/cargo#15636)
- Update to Rust 2024 (rust-lang/cargo#15732)
- Clarify package ID specifications in SBOMs are fully qualified (rust-lang/cargo#15731)
- chore(deps): update cargo-semver-checks to v0.42.0 (rust-lang/cargo#15730)
- test: Switch config tests to use snapshots (rust-lang/cargo#15729)
- implement package feature unification (rust-lang/cargo#15684)
- chore: Upgrade dependencies (rust-lang/cargo#15722)
- Report valid file name when we can't find a build target for `name = "foo.rs"` (rust-lang/cargo#15707)
- chore(release): Publish build-rs on release (rust-lang/cargo#15708)
- Override `Cargo.lock` checksums when doing a dry-run `publish` (rust-lang/cargo#15711)
- test(rustfix): Update for nightly (rust-lang/cargo#15717)

r? ghost
@rustbot rustbot added this to the 1.90.0 milestone Jul 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@epage epage epage approved these changes

Assignees

@ehuss ehuss

Labels
A-cli Area: Command-line interface, option parsing, etc. A-dependency-resolution Area: dependency resolution and the resolver A-interacts-with-crates.io Area: interaction with registries Command-package Command-publish S-waiting-on-review Status: Awaiting review from the assignee but also interested parties.
Projects
None yet
Milestone
1.90.0
Development

Successfully merging this pull request may close these issues.

cargo publish --dry-run -Zpackage-workspace reports the checksum has changed
4 participants
@jneem @rustbot @epage @ehuss