At the moment, our integration tests work by importing the files as they exist as a directory on disk, rather than the tarball you would get from WAPM. It'd be nice if we could update our tests to do a tar -czvf some-package.tar.gz ./out and import that ./some-package.tar.gz to more closely match what end users will be doing (this would have helped detect #59).
I initially implemented this in #65, but ran into issues where both pip and yarn treat a tarball as something that has been properly released. That meant they'll add integrity checks every time the tests try to install the package, and those checks were always failing.
For example, we got the following error with Yarn:
error Integrity check failed for "@wasmer/wabt" (computed integrity doesn't match our records, got "sha512-P4mwSUIu12z/9A/MF89lH0pKzQEFKVzc9oNNlfklyrUaYUlBkzKVethIKf9IJSmp/a6B7U4e6w5QchiK6b8nZQ== sha1-Ji/XdoPfCLiJpROBc/pTVkBPUpw=")
Pip generated a similar error message
Creating virtualenv python-DVkIVhwW-py3.9 in /home/runner/.cache/pypoetry/virtualenvs
Updating dependencies
Resolving dependencies...
Writing lock file
Package operations: 14 installs, 0 updates, 0 removals
• Installing pyparsing (3.0.9)
• Installing attrs (22.1.0)
• Installing exceptiongroup (1.0.0)
• Installing iniconfig (1.1.1)
• Installing mypy-extensions (0.4.3)
• Installing packaging (21.3)
• Installing pluggy (1.0.0)
• Installing tomli (2.0.1)
• Installing typing-extensions (4.4.0)
• Installing wasmer (1.1.0)
• Installing wasmer-compiler-cranelift (1.1.0)
RuntimeError
Hash for wasmer (1.1.0) from archive wasmer-1.1.0-cp39-cp39-manylinux_2_24_x86_64.whl not found in known hashes (was: sha[256](https://github.com/wasmerio/wasmer-pack/actions/runs/3348066190/jobs/5546725994#step:12:257):76bdd17a89dd652d39d789c138fff7236bb38da3e0ad54c716e2e72a90efef2e)
at ~/.local/share/pypoetry/venv/lib/python3.9/site-packages/poetry/installation/executor.py:681 in _validate_archive_hash
677│ archive_hash: str = "sha256:" + file_dep.hash()
678│ known_hashes = {f["hash"] for f in package.files}
679│
680│ if archive_hash not in known_hashes:
→ 681│ raise RuntimeError(
682│ f"Hash for {package} from archive {archive.name} not found in"
683│ f" known hashes (was: {archive_hash})"
684│ )
685│
At the moment, our integration tests work by importing the files as they exist as a directory on disk, rather than the tarball you would get from WAPM. It'd be nice if we could update our tests to do a
tar -czvf some-package.tar.gz ./outand import that./some-package.tar.gzto more closely match what end users will be doing (this would have helped detect #59).I initially implemented this in #65, but ran into issues where both
pipandyarntreat a tarball as something that has been properly released. That meant they'll add integrity checks every time the tests try to install the package, and those checks were always failing.For example, we got the following error with Yarn:
Pip generated a similar error message