Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(package): add --exclude-lockfile flag #15234

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat(package): add --exclude-lockfile flag #15234

wants to merge 2 commits into from

Conversation

weihanglo
Copy link
Member

What does this PR try to resolve?

Fixes #15059
Fixes #15159

This provides an escape hatch --exclude-lockfilefor uncommon workflows
that don't verify (--no-verify is passed) the build with their unpublished packages

When --exclude-lockfile is enabled,
cargo package will not verify the lock file if present,
nor will it generate a new one if absent.
Cargo.lock will not be included in the resulting tarball.

Together with --no-verify,
this flag decouples packaging from checking the registry index.
While this is useful for some non-normal workflows that requires
to assemble packages having unpublished dependencies.
It is recommended to use -Zpackage-workspace to package the entire
workspace, instead of opting out lockfile.

How should we test and review this PR?

The first commit was stolen from NoisyCoil@1a104b5 (credit to @NoisyCoil!)

The second added two failing cases we observed in #15059.

Additional information

@rustbot
Copy link
Collaborator

rustbot commented Feb 25, 2025

r? @epage

rustbot has assigned @epage.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added A-cli Area: Command-line interface, option parsing, etc. A-cli-help Area: built-in command-line help A-documenting-cargo-itself Area: Cargo's documentation A-interacts-with-crates.io Area: interaction with registries Command-package Command-publish S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Feb 25, 2025
@epage
Copy link
Contributor

epage commented Feb 25, 2025

Mind cleaning up the commit history (reorder test first, squash test update), including updating commint message for new flag name?

weihanglo and others added 2 commits February 25, 2025 19:11
@weihanglo
test(package): fail with unpublished cyclic/transitive deps
7bc982b 
After dd698ff,
`cargo package --no-verify` at least fails in three different cases:

* An unpublished package depending on itself as a dev-dependency (cyclic self-referential dev-dependencies).
  * Can be resolved by removing the `version` field from the affected dev-dependency.
  * `-Zpackage-workspace` doesn't help with it.
* Existing `cargo package` has `--package <pkg>` specifying certain unpublished packages.
  * Can be resolved by specifying all unpublished packages in one `cargo` call.
  * `-Zpackage-workspace` also requires all dependency versions available in the target registry when calling, so doesn't help.
* `cargo package --no-verify` has been used as a kind of “plumbing commands” to create tarballs without considering dependency orders. The use cases include:
  * Preparing tarballs for other package managers.
  * Integrating into custom develop workflows for unpublished/internal crates.
  * Constructing custom/private registries.

This commit shows the former two cases.
@NoisyCoil @weihanglo
feat(package): add --exclude-lockfile flag
263f5d2 
When `--exclude-lockfile` is enabled,
`cargo package` will not verify the lock file if present,
nor will it generate a new one if absent.
Cargo.lock will not be included in the resulting tarball.

Together with `--no-verify`,
this flag decouples packaging from checking the registry index.
While this is useful for some non-normal workflows that requires
to assemble packages having unpublished dependencies.
It is recommended to use `-Zpackage-workspace` to package the entire
workspace, instead of opting out lockfile.
@weihanglo
Copy link
Member Author

Mind cleaning up the commit history (reorder test first, squash test update), including updating commint message for new flag name?

Was in a haste leaving the office. Sorry.

weihanglo
weihanglo commented Feb 26, 2025
View reviewed changes
src/doc/man/cargo-package.md
{{#option "`--exclude-lockfile`" }}
Don't include the lock file when packaging.

This flag is not for general use. Always consider packaging with a lockfile.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if we really want to mention this. People using cargo package usually are already in an unusual workflow.

@NoisyCoil
Copy link

Thanks for stealing, very much appreciated! (Especially the part where I don't have to come up with a better name for the flag ;-))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@epage epage

Labels
A-cli Area: Command-line interface, option parsing, etc. A-cli-help Area: built-in command-line help A-documenting-cargo-itself Area: Cargo's documentation A-interacts-with-crates.io Area: interaction with registries Command-package Command-publish S-waiting-on-review Status: Awaiting review from the assignee but also interested parties.
Projects
None yet
Milestone
No milestone
4 participants
@weihanglo @rustbot @epage @NoisyCoil