Skip to content

fix(ci): fail loudly on yarn.lock drift after build#23882

Merged
ludamad merged 1 commit into
v5-nextfrom
cb/v5-next-lockfile-drift-gate
Jun 4, 2026
Merged

fix(ci): fail loudly on yarn.lock drift after build#23882
ludamad merged 1 commit into
v5-nextfrom
cb/v5-next-lockfile-drift-gate

Conversation

@AztecBot

@AztecBot AztecBot commented Jun 4, 2026

Copy link
Copy Markdown
Collaborator

Problem

A noir bump (#23870, "chore: update Noir to v1.0.0-beta.22 (v5-next)") landed on v5-next green (11/11) while desyncing the lockfile: it advanced the noir/noir-repo submodule pin to beta.22 (c57152f9) but did not regenerate yarn-project/yarn.lock, which still pins @aztec/noir-* at beta.21. The drift only surfaced downstream where an immutable install runs, so a brittleness in public CI let a lockfile-desyncing bump merge undetected.

Why it slipped through

  • The noir packages are consumed via file:/portal: links into noir/packages/* with content-derived checksums (e.g. @aztec/noir-noir_js@file:... carries version: 1.0.0-beta.21 + a checksum).
  • During the build, yarn install rewrites yarn.lock in the container and proceeds — nothing functionally depends on the committed lockfile being exact, so there is no failure.
  • The node-modules cache_content_hash does include yarn.lock, but it is computed at install start. A rewrite that happens during the build is never re-checked, so the stale committed lockfile is never compared against the post-build state.

Fix

Add a check_lockfiles gate that runs after the build in the PR/merge CI paths (ci-fast, ci-full, ci-full-no-test-cache). It fails loudly if the build left any committed yarn.lock rewritten — exactly the signal a forgotten lockfile regen produces — with a message pointing at the root cause and the fix.

This makes a submodule/dependency bump that forgets the lockfile a hard CI failure instead of silent drift.

Notes

  • This adds the missing root-cause gate. The immediate beta.22 lockfile desync still needs to be completed separately (regenerate yarn-project/yarn.lock against beta.22 and commit it); a manual edit won't work because the file: resolutions are content-derived.
  • Verified the detector locally (red on a simulated yarn.lock rewrite, green on a clean tree). The gate is a no-op on healthy builds, so it only fires on real drift — final validation is the CI run on this PR.

Labeled private-port-next so the gate ports to the private v5-next line.

Created by claudebox · group: slackbot

@AztecBot AztecBot added C-CI Component: continuous integration ci-draft Run CI on draft PRs. claudebox Owned by claudebox. it can push to this PR. private-port-next labels Jun 4, 2026
@ludamad ludamad marked this pull request as ready for review June 4, 2026 19:12
@ludamad ludamad enabled auto-merge June 4, 2026 19:12
@ludamad ludamad added this pull request to the merge queue Jun 4, 2026
Merged via the queue into v5-next with commit eaf895b Jun 4, 2026
66 of 76 checks passed
@ludamad ludamad deleted the cb/v5-next-lockfile-drift-gate branch June 4, 2026 19:15
@AztecBot AztecBot mentioned this pull request Jun 4, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ludamad ludamad ludamad approved these changes

Assignees

No one assigned

Labels

C-CI Component: continuous integration ci-draft Run CI on draft PRs. claudebox Owned by claudebox. it can push to this PR. private-port-next

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AztecBot @ludamad