fix(composer): Restore any modified files after analysis #9590
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #9590 +/- ##
=========================================
Coverage 68.03% 68.03%
Complexity 1285 1285
=========================================
Files 249 249
Lines 8826 8826
Branches 920 920
=========================================
Hits 6005 6005
Misses 2432 2432
Partials 389 389
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
sschuberth
force-pushed
the
composer-lockfile-provider
branch
from
8ba53b8 to
f5998cf
Compare
| @@ -139,7 +137,11 @@ class Composer( | |||
| } | |||
|
|
|||
| val lockfile = stashDirectories(workingDir.resolve("vendor")).use { _ -> | |||
| ensureLockfile(workingDir).let { | |||
| val lockfileProvider = LockfileProvider(definitionFile) | |||
There was a problem hiding this comment.
I might be wrong, but to my understanding ORT's analyzers normally do not do this kind of clean-up.
If true, what's the reason for doing this here?
There was a problem hiding this comment.
I agree that this kind of cleanup is probably done inconsistently / not done at all for package managers currently. But I believe we should come up with a policy to start doing it consistently. Besides the annoyance of modified files when analyzing locally, leaving modified files behind also creates problems in CI pipelines that use git describe-based mechanisms to calculate the project version after analysis, as such approaches would eventually add a -dirty suffix to the version number.
There was a problem hiding this comment.
as such approaches would eventually add a -dirty suffix to the version number.
These could be also easily addressed with dropping file changes via git.
I'm undecided if it's worth to maintain the logic for it, what do others think? maybe any @oss-review-toolkit/core-devs ?
There was a problem hiding this comment.
These could be also easily addressed with dropping file changes via
git.
Our premise has always been that the ORT analyzer can be used without changes to your build, and that includes making fixups like resetting modified files with Git in a CI pipeline in my view.
Note that approving this PR does not mean that you agree to do the same changes for other package managers. As such I'd appreciate if the discussion could be limited to the code in this PR, and to pursue the general discussion elsewhere.
There was a problem hiding this comment.
In my opinion we should always try to not modify the project files with the analyzer, and we have to, clean up afterward, and I think that was always our philosophy, although we might have forgotten to implement it consistently. For example, in NPM we could simply delete the node_modules directory, but instead we move it away so that it can be restored after the analysis.
Introduce a `LockfileProvider` that ensures a lockfile to be present by either using the existing one, or enabling the creation of one and creating it. A self-created lockfile is deleted afterwards, and any modifications to the definition file are reverted. Signed-off-by: Sebastian Schuberth <[email protected]>
sschuberth
force-pushed
the
composer-lockfile-provider
branch
from
f5998cf to
5ebf073
Compare
Introduce a
LockfileProviderthat ensures a lockfile to be present by either using the existing one, or enabling the creation of one and creating it. A self-created lockfile is deleted afterwards, and any modifications to the definition file are reverted.