Lock file is updated during install with multiple tags for the same commit

[davidreuss]

What steps did you take:

I have a repository, where we keep a "floating" major version say v1 for my project (for referencing with github actions for instance), but it's also tagged with the exact semver version.

What happened:

When running vendir sync --locked i'm seeing the vendir.lock.yml file updated to reflect a difference in the tags property of a dependency.

We have CI jobs which checks that there are no differences in lock files, to determine if there's something changed or not, and this check is now failing randomly depending on when the last vendir sync was executed, and what the state of the tags in the upstream project is at the time.

An example diff of what i observed below:

❯ git diff
diff --git a/vendir.lock.yml b/vendir.lock.yml
index 9e368a61..eb476075 100755
--- a/vendir.lock.yml
+++ b/vendir.lock.yml
@@ -5,7 +5,7 @@ directories:
       commitTitle: 'fix: foobar'
       sha: 874ffaa568150eba07a1794a67ede807efae655b
       tags:
-      - v1
+      - v1.0.1
     path: .
   path: vendor/cicd-toolkit
 - contents:

What did you expect:

I expect the lockfile to not be updated when i'm installing dependencies from that lock file, with vendir sync --locked

Environment:

❯ vendir --version
vendir version 0.41.1

This is on mac os but i don't think there's any platform/arch issue going on here.

---

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

[joaopapereira]

Thanks for opening this issue
I was looking into this issue and I am trying to better understand the scenario here, let me know if this is accurate

1. You create the v1 tag
2. Add create the vendir Lock file
3. Retag the same sha with the v1.0.1 tag
4. Move v1 tag to a different sha
5. run vendir --lock

Is this what you are experiencing?

[rohitagg2020]

@davidreuss Can you please confirm if it is the above behavior you are experiencing,

[davidreuss]

Sorry, this got lost in my notifications. Yes, that is correct, and what i observed. 👍

There's a lot of scenarios that could trigger similar behaviour, but the important take away is that i do not expect the lock file to change, when i'm only installing dependencies (using --locked). It's fine if they update to reflect changes if i'm doing an actual sync. (no --locked).

In short, i don't expect the lock file to change when consulting it for installing dependencies.