Skip to content

Avoid stale checked-in Cargo.lock files #1197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
ludfjig wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Avoid stale checked-in Cargo.lock files #1197

ludfjig wants to merge 2 commits into from
+141 −2

Conversation

@ludfjig
Copy link
Contributor

@ludfjig ludfjig commented Jan 28, 2026
edited
Loading

Avoid stale Cargo.lock being checked in. This is annoying because rust-analyzer will rebuild them locally and update Cargo.lock, resulting in locally modified Cargo.lock files, which can interfere with git operations (like git checkout).

Most complications come from the fact that dependabot will update dependencies (like hyperlight-common dependencies) without rebuilding guests resulting in the guest's Cargo.lock being outdated after a dependabot PR

Prior art:

Note: since this will modify dependabot PRs, commands like @dependabot rebase won't work. Would need to do @dependabot recreate isntead, since dependabot won't rebase if somebody else touched the PR

syntactically
syntactically reviewed Feb 11, 2026
View reviewed changes
.github/workflows/dependabot-update-guest-locks.yml Outdated
- name: Update simpleguest Cargo.lock
if: steps.check-ecosystem.outputs.is_cargo == 'true'
working-directory: src/tests/rust_guests/simpleguest
run: cargo update
Copy link
Member

@syntactically syntactically Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is cargo update more aggressive than we want here? IIUC cargo update would update all deps to the latest compatible version, whereas I wonder if cargo update simpleguest to do only the updates that are necessary to make the lockfiles consistent would be useful to make the PRs a bit more granular and isolate the effect of a dependency with a failing update?

Copy link
Contributor Author

@ludfjig ludfjig Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps building the guest would do the minimal necessary updates. I'm not sure cargo update simpleguest would work

Copy link
Contributor Author

@ludfjig ludfjig Feb 11, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually cargo fetch should probably do it! (without the --locked)

@syntactically
Copy link
Member

syntactically commented Feb 11, 2026

@ludfjig Absolutely no pressure if you have higher-priority things, but is there anything we should do to progress this? It's only a tiny papercut, but I am constantly running into the out-of-date guest lock files because I now use Nix-vendored dependencies, which makes them a bit annoying (have to get a cargo executable not configured for vendoring, fix the lock file, wait for the dev environment to rebuild, etc).

@ludfjig
Make sure PRs fail if Cargo.lock file is out of date
8010a70 
Signed-off-by: Ludvig Liljenberg <4257730+ludfjig@users.noreply.github.com>
@ludfjig ludfjig added the kind/bugfix For PRs that fix bugs label Feb 11, 2026
@ludfjig
Make sure dependabot PRs update guests cargo.lock
916f7e3 
Signed-off-by: Ludvig Liljenberg <4257730+ludfjig@users.noreply.github.com>
@ludfjig ludfjig requested a review from Copilot February 11, 2026 22:15
Copilot AI reviewed Feb 11, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to prevent stale, checked-in Cargo.lock files (especially for Rust test guests) by enforcing lockfile freshness in CI and adding automation to update guest lockfiles on Dependabot PRs.

Changes:

  • Enforce --locked cargo fetch for each Rust guest crate (simpleguest/dummyguest/witguest) in local just CI-like checks.
  • Enforce the same guest lockfile checks in the reusable CI workflow (dep_code_checks.yml).
  • Add a new workflow to auto-update and push guest Cargo.lock files on Dependabot cargo PRs.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
Justfile Adds cargo fetch --manifest-path … --locked checks for each Rust guest crate.
.github/workflows/dep_code_checks.yml Extends the existing lockfile freshness check to include each Rust guest crate.
.github/workflows/dependabot-update-guest-locks.yml New workflow to regenerate guest lockfiles and push them back to Dependabot PR branches.

.github/workflows/dependabot-update-guest-locks.yml
Comment on lines +119 to +122
# Commit with DCO sign-off
git commit --signoff -m "chore: update guest Cargo.lock files" \
-m "Automatically updated by dependabot-update-guest-locks workflow." \
-m "Triggered by: ${DEPENDENCY_NAMES}"
Copy link

Copilot AI Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow creates a commit with git commit --signoff, but the repo’s contribution policy requires commits to be GPG-signed as well. As written, the automation will produce unsigned commits, which can violate the signing requirement and potentially block merges. Consider either importing a GPG key in the workflow and using git commit -S -s, or switching to an approach that produces GitHub-verified commits (e.g., committing via the GitHub API) while still including the DCO sign-off line.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@syntactically syntactically syntactically left review comments

Copilot code review Copilot Copilot left review comments

@danbugs danbugs Awaiting requested review from danbugs danbugs will be requested when the pull request is marked ready for review danbugs is a code owner

@dblnz dblnz Awaiting requested review from dblnz dblnz will be requested when the pull request is marked ready for review dblnz is a code owner

@devigned devigned Awaiting requested review from devigned devigned will be requested when the pull request is marked ready for review devigned is a code owner

@marosset marosset Awaiting requested review from marosset marosset will be requested when the pull request is marked ready for review marosset is a code owner

@jprendes jprendes Awaiting requested review from jprendes jprendes will be requested when the pull request is marked ready for review jprendes is a code owner

@simongdavies simongdavies Awaiting requested review from simongdavies simongdavies will be requested when the pull request is marked ready for review simongdavies is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

kind/bugfix For PRs that fix bugs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ludfjig @syntactically