Alternative to cargo publish --allow-dirty: cargo publish --exclude-untracked

[stevenroose]

Problem

Currently cargo publish publishes the entire working directory. When some of the files in the directory are not tracked by git, cargo will refuse to publish unless you explicitly tell it to ignore that by passing --allow-dirty.

I publish maybe a dozen crates or so, and almost never do I actually intent these untracked files to actually be included. To be honest, I only recently realized they were actually uploaded when there was a large tarball in my working directory that exceeded the maximum upload size.

So in my personal case, but I suspect this to be the case for many others as well, I only intend to upload the files tracked by git. Others might be personal or even sensitive (things like todo or notes which I keep in various repos) that might perhaps include information on potential vulnerabilities that I'm fixing at the very moment.

Proposed Solution

As an alternative to --allow-dirty which will include the untracked files in the upload payload, I propose an extra flag to be added, called along the lines of --exclude-untracked that will actually exclude all untracked files (as per git, ofc) from the payload.

Of course ideally this would mean that the build that cargo publish does would also ignore these files to check that the build is possible without these files. While this might not be trivial, someone might figure out a smart way to do this. One simple solution would be to just copy the current directory minus the untracked files to a temporary directory and do the build check there.

If touching the git worktree is not out of the question, cargo publish could even temporary stash these files and unstash them after running.

Notes

No response

[epage]

As an alternative to --allow-dirty which will include the untracked files in the upload payload, I propose an extra flag to be added, called along the lines of --skip-untracked that will actually exclude all untracked files (as per git, ofc) from the payload.

nit on name: --exclude-untracked to align with package.exclude.

Would package.include work for your case?

FYI you can check what will be packaged for publish with cargo package --list

If we did add a flag like this, I think we should error if the VCS is not of a type we support so we don't do one thing, then add a new VCS, and then a new thing happens.

If we do this, I think this should likely be a Cargo.toml setting, rather than a command-lin flag. While the untracked files will be dependent on the user, (CLI) the fact that everything the package needs is included in the repo is tied to the package/repo.

Personally, I think we should support excluding gitignore files (if we don't already) rather than untracked. Untracked can represent incomplete work or unrelated work,. making it ambiguous. Ignored files are unambiguous and any user can turn untracked files into ignored files with a user-wide gitignore file.

Of course ideally this would mean that the build that cargo publish does would also ignore these files to check that the build is possible without these files. While this might not be trivial, someone might figure out a smart way to do this. One simple solution would be to just copy the current directory minus the untracked files to a temporary directory and do the build check there.

I believe that test build is performed on what cargo package generates, so that isn't an issue.

[weihanglo]

See also #9398