Skip to content

feat: warn on soldeer.lock revision mismatch during build #12366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat: warn on soldeer.lock revision mismatch during build #12366

wants to merge 3 commits into from

Conversation

@silvekkk
Copy link
Contributor

@silvekkk silvekkk commented Oct 29, 2025

Warns when git revision in soldeer.lock differs from actual dependency revision.

Closes #12357

Not sure If should add test here, let me know if need

@grandizzy
Copy link
Collaborator

grandizzy commented Oct 29, 2025

@silvekkk I think that could work too (cc @mario-eth ) but the original ticket was meant for foundry.lock and deps installed with forge install and updated with forge update

@grandizzy
Copy link
Collaborator

grandizzy commented Oct 29, 2025

updated ticket name to reflect that. thank you!

@mario-eth
Copy link
Contributor

mario-eth commented Oct 29, 2025

cc @beeb

@beeb
Copy link
Contributor

beeb commented Oct 29, 2025

Ideally, this check would be more thorough and do the same consistency check we do in soldeer install (hashing all the files in the dependencies). It would be best if it reused the logic and types from soldeer_core too.

@silvekkk
Copy link
Contributor Author

silvekkk commented Oct 29, 2025

  • Add SHA256 checksum verification for dependencies
  • Check both checksum and git revision
  • Provide clear warnings for integrity failures
  • Follow soldeer's verification approach

is this what in your mind? @beeb cc @grandizzy @mario-eth

@beeb
Copy link
Contributor

beeb commented Oct 30, 2025

@silvekkk You reimplemented everything which is not great, because if we ever decide to change something about the lockfile or dependencies folder structure, your code will break.

Please add a dependency to soldeer_core in forge/Cargo.toml using soldeer-core.workspace = true.

You can then use the following:

@silvekkk
Copy link
Contributor Author

silvekkk commented Oct 30, 2025

@beeb Thanks for the feedback! I'vereverted and refactored to use the soldeer_core APIs:

  • Added soldeer-core dependency
  • Using read_lockfile() and check_dependency_integrity() as you suggested
  • Removed all custom implementation

beeb
beeb suggested changes Oct 31, 2025
View reviewed changes
@beeb
Copy link
Contributor

beeb commented Oct 31, 2025

Thanks for the changes. Although this all feels very LLM generated, I left some comments.

@silvekkk
Copy link
Contributor Author

silvekkk commented Oct 31, 2025

Thanks for the changes. Although this all feels very LLM generated, I left some comments.

Yeah, about 50–60% of the later commits were actually done with Claude’s help. I asked it to add comments, clean up the structure, and handle a few checks I probably overlooked, and final review.
Haha, trust me—if you’d seen my original code, you probably wouldn’t even have felt like leaving a comment. (It was that bad.) best 20$ I paid ever

@silvekkk silvekkk requested a review from beeb October 31, 2025 09:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DaniPopes DaniPopes Awaiting requested review from DaniPopes DaniPopes is a code owner

@mattsse mattsse Awaiting requested review from mattsse mattsse is a code owner

@grandizzy grandizzy Awaiting requested review from grandizzy grandizzy is a code owner

@zerosnacks zerosnacks Awaiting requested review from zerosnacks zerosnacks is a code owner

@onbjerg onbjerg Awaiting requested review from onbjerg onbjerg is a code owner

@0xrusowsky 0xrusowsky Awaiting requested review from 0xrusowsky 0xrusowsky is a code owner

1 more reviewer

@beeb beeb beeb approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Foundry
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Add warning on forge build with inconsistent rev in foundry.lock file

4 participants

@silvekkk @grandizzy @mario-eth @beeb