Confusion with git/tag and git/sha in deps.edn

Question

Confusion with git/tag and git/sha in deps.edn

Opened this issue 3 years ago · 0 comments

wandersoncferreira commented 3 years ago

Hello @fogus , thanks for this repo and the blog post around it.

I noticed the recent sha bump for tools.build and it got me thinking: why does this work?

:aliases
 {:build {:replace-deps {io.github.clojure/tools.build {:git/tag "v0.1.3" :git/sha "688245e"}}
          :ns-default build}}

the snippet above has the correct association between "v0.1.3" tag and its counterpart commit sha "688245e", then when you change the sha to "660a71f" and keep the same tag I was expecting a failure.

For some reason I understood from previous communications that when we used "tag" and "sha" some sanity check was performed to validate the version of code we are downloading, however reading the dependencies docs its clear that "git/tag" is only a way to inform about "sha" semantics..

Is my understanding correct? I am not sure if I built this expectation out of nowhere, but I definitely would read this as a "bug" if I find a tag pointing to a different sha value in my projects.