Skip to content

cargo publish --dry-run -Zpackage-workspace reports the checksum has changed #15647

New issue
New issue
Closed
#15711
Closed
cargo publish --dry-run -Zpackage-workspace reports the checksum has changed#15647
#15711
Labels
A-package-workspaceArea: multi-workspace-member publishing and packagingC-bugCategory: bugCommand-packageCommand-publishS-needs-designStatus: Needs someone to work further on the design for the feature or fix. NOT YET accepted.
@epage

Description

@epage
epage
opened on Jun 9, 2025

Problem

When doing a cargo release -vvv patch on clap, I got

 
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap_lex since clap_lex-v0.7.4: [
        "/home/epage/src/personal/clap/clap_lex/LICENSE-APACHE",
        "/home/epage/src/personal/clap/clap_lex/LICENSE-MIT",
        "/home/epage/src/personal/clap/clap_lex/src/lib.rs",
    ]
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap_builder since v4.5.39: [
        "/home/epage/src/personal/clap/clap_builder/LICENSE-APACHE",
        "/home/epage/src/personal/clap/clap_builder/LICENSE-MIT",
        "/home/epage/src/personal/clap/clap_builder/README.md",
        "/home/epage/src/personal/clap/clap_builder/src/lib.rs",
        "/home/epage/src/personal/clap/clap_builder/src/macros.rs",
    ]
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap_derive since v4.5.32: [
        "/home/epage/src/personal/clap/clap_derive/LICENSE-APACHE",
        "/home/epage/src/personal/clap/clap_derive/LICENSE-MIT",
        "/home/epage/src/personal/clap/clap_derive/README.md",
    ]
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap since v4.5.39: [
        "/home/epage/src/personal/clap/Cargo.lock",
        "/home/epage/src/personal/clap/Cargo.toml",
        "/home/epage/src/personal/clap/src/_faq.rs",
        "/home/epage/src/personal/clap/src/lib.rs",
    ]
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap_complete since clap_complete-v4.5.52: [
        "/home/epage/src/personal/clap/clap_complete/LICENSE-APACHE",
        "/home/epage/src/personal/clap/clap_complete/LICENSE-MIT",
        "/home/epage/src/personal/clap/clap_complete/src/lib.rs",
    ]
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap_complete_nushell since clap_complete_nushell-v
4.5.6: [
        "/home/epage/src/personal/clap/clap_complete_nushell/LICENSE-APACHE",
        "/home/epage/src/personal/clap/clap_complete_nushell/LICENSE-MIT",
        "/home/epage/src/personal/clap/clap_complete_nushell/src/lib.rs",
    ]
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap_mangen since clap_mangen-v0.2.26: [
        "/home/epage/src/personal/clap/clap_mangen/LICENSE-APACHE",
        "/home/epage/src/personal/clap/clap_mangen/LICENSE-MIT",
        "/home/epage/src/personal/clap/clap_mangen/src/lib.rs",
    ]
...
  Publishing clap_lex, clap_builder, clap_derive, clap, clap_complete, clap_complete_nushell, clap_mangen
[2025-06-09T17:22:06Z TRACE cargo_release::ops::cmd] /home/epage/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/b
in/cargo publish --manifest-path /home/epage/src/personal/clap/clap_lex/Cargo.toml -Zpackage-workspace --package clap_
lex --package clap_builder --package clap_derive --package clap --package clap_complete --package clap_complete_nushel
l --package clap_mangen --dry-run --allow-dirty
    Updating crates.io index
warning: crate [email protected] already exists on crates.io index
warning: crate [email protected] already exists on crates.io index
warning: crate [email protected] already exists on crates.io index
warning: crate [email protected] already exists on crates.io index
warning: crate [email protected] already exists on crates.io index
warning: crate [email protected] already exists on crates.io index
warning: crate [email protected] already exists on crates.io index
   Packaging clap_lex v0.7.4 (/home/epage/src/personal/clap/clap_lex)
warning: ignoring test `testsuite` as `tests/testsuite/main.rs` is not included in the published package
    Updating crates.io index
    Packaged 9 files, 44.5KiB (13.2KiB compressed)
   Packaging clap_builder v4.5.39 (/home/epage/src/personal/clap/clap_builder)
error: failed to prepare local package for uploading

Caused by:
  checksum for `clap_lex v0.7.4` changed between lock files

  this could be indicative of a few possible errors:

      * the lock file is corrupt
      * a replacement source in use (e.g., a mirror) returned a different checksum
      * the source itself may be corrupt in one way or another

  unable to verify that `clap_lex v0.7.4` is the same as when the lockfile was generated

Pulling out from that, the command was roughly

$ cargo publish -Zpackage-workspace --workspace --dry-run --allow-dirty

They key parts to this

  • --dry-run was being used
  • versions were not bumped (because it was a dry-run release)
  • every package was changed

This can also be reproduced with cargo package within the same repo at the same point in time

Steps

Add the following test:

#[cargo_test]
fn checksum_changed() {
    let registry = RegistryBuilder::new().http_api().http_index().build();

    Package::new("dep", "1.0.0").publish();
    Package::new("transitive", "1.0.0")
        .dep("dep", "1.0.0")
        .publish();

    let p = project()
        .file(
            "Cargo.toml",
            r#"
                [workspace]
                members = ["dep"]

                [package]
                name = "foo"
                version = "0.0.1"
                edition = "2015"
                authors = []
                license = "MIT"
                description = "foo"
                documentation = "foo"

                [dependencies]
                dep = { path = "./dep", version = "1.0.0" }
                transitive = "1.0.0"
            "#,
        )
        .file("src/lib.rs", "")
        .file(
            "dep/Cargo.toml",
            r#"
                [package]
                name = "dep"
                version = "1.0.0"
                edition = "2015"
            "#,
        )
        .file("dep/src/lib.rs", "")
        .build();

    p.cargo("check").run();

    p.cargo("publish --dry-run --workspace -Zpackage-workspace")
        .masquerade_as_nightly_cargo(&["package-workspace"])
        .replace_crates_io(registry.index_url())
        .with_status(101)
        .with_stderr_data(str![[r#"
[UPDATING] crates.io index
[WARNING] crate [email protected] already exists on crates.io index
[WARNING] manifest has no description, license, license-file, documentation, homepage or repository.
See https://doc.rust-lang.org/cargo/reference/manifest.html#package-metadata for more info.
[PACKAGING] dep v1.0.0 ([ROOT]/foo/dep)
[PACKAGED] 4 files, [FILE_SIZE]B ([FILE_SIZE]B compressed)
[PACKAGING] foo v0.0.1 ([ROOT]/foo)
[ERROR] failed to prepare local package for uploading

Caused by:
  checksum for `dep v1.0.0` changed between lock files

  this could be indicative of a few possible errors:

      * the lock file is corrupt
      * a replacement source in use (e.g., a mirror) returned a different checksum
      * the source itself may be corrupt in one way or another

  unable to verify that `dep v1.0.0` is the same as when the lockfile was generated

"#]])
        .run();
}

Possible Solution(s)

No response

Notes

Previously reported at #1169 (comment) without clear reproduction steps

Previous issues related to --dry-run

Version

$ ❯ cargo +nightly -Vv
cargo 1.89.0-nightly (056f5f4f3 2025-05-09)
release: 1.89.0-nightly
commit-hash: 056f5f4f3c100cb36b5e9aed2d20b9ea70aae295
commit-date: 2025-05-09
host: x86_64-unknown-linux-gnu
libgit2: 1.9.0 (sys:0.20.0 vendored)
libcurl: 8.12.1-DEV (sys:0.4.80+curl-8.12.1 vendored ssl:OpenSSL/3.4.1)
ssl: OpenSSL 3.4.1 11 Feb 2025
os: Pop!_OS 22.4.0 (jammy) [64-bit]

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-package-workspaceArea: multi-workspace-member publishing and packagingC-bugCategory: bugCommand-packageCommand-publishS-needs-designStatus: Needs someone to work further on the design for the feature or fix. NOT YET accepted.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions