chore: forbid branch and tag for git source

Author: remimimimimi

crates/pixi_manifest/src/build_system.rs

@@ -106,7 +106,7 @@ mod tests {
               "https://prefix.dev/pixi-build-backends",
               "https://prefix.dev/conda-forge",
             ]
-            source = { git = "https://github.com/conda-forge/numpy-feedstock" }
+            source = { git = "https://github.com/conda-forge/numpy-feedstock", rev ="ee87916a49d5e96d4f322f68c3650e8ff6b8866b" }
             "#;
 
         let build = PackageBuild::from_toml_str(toml).unwrap();

crates/pixi_manifest/src/toml/build_backend.rs

@@ -169,7 +169,7 @@ static BOTH_ADDITIONAL_DEPS_WARNING: Once = Once::new();
 fn spec_from_spanned_toml_location(
     spanned_toml: Spanned<TomlLocationSpec>,
 ) -> Result<SourceLocationSpec, DeserError> {
-    spanned_toml
+    let source_location_spec = spanned_toml
         .value
         .into_source_location_spec()
         .map_err(|err| {
@@ -178,7 +178,24 @@ fn spec_from_spanned_toml_location(
                 span: spanned_toml.span,
                 line_info: None,
             })
-        })
+        })?;
+
+    // For build sources, require explicit rev for git sources to
+    // ensure reproducible builds Should be removed once we will be
+    // able to store source revision in lockfile.
+    if let SourceLocationSpec::Git(ref git_spec) = source_location_spec {
+        if git_spec.rev.is_none() {
+            return Err(DeserError::from(Error {
+                kind: toml_span::ErrorKind::Custom(Cow::Borrowed(
+                    "Git sources in build context require an explicit `rev` field for reproducible builds",
+                )),
+                span: spanned_toml.span,
+                line_info: None,
+            }));
+        }
+    }
+
+    Ok(source_location_spec)
 }
 
 impl<'de> toml_span::Deserialize<'de> for TomlPackageBuild {

docs/reference/pixi_manifest.md

@@ -955,8 +955,6 @@ The build system is a table that can contain the following fields:
   - `path`: a string representing a relative or absolute path to the source code.
   - `git`: a string representing URL to the source repository.
   - `rev`: a string representing SHA revision to checkout.
-  - `tag`: a string representing git tag to use.
-  - `branch`: a string representing git branch to use.
   - `subdirectory`: a string representing path to subdirectory to use.
 - `channels`: specifies the channels to get the build backend from.
 - `backend`: specifies the build backend to use. This is a table that can contain the following fields:

schema/model.py

@@ -715,8 +715,8 @@ class SourceLocation(StrictBaseModel):
 
     git: NonEmptyStr | None = Field(None, description="The git URL to the source repo")
     rev: NonEmptyStr | None = Field(None, description="A git SHA revision to use")
-    tag: NonEmptyStr | None = Field(None, description="A git tag to use")
-    branch: NonEmptyStr | None = Field(None, description="A git branch to use")
+    # tag: NonEmptyStr | None = Field(None, description="A git tag to use")
+    # branch: NonEmptyStr | None = Field(None, description="A git branch to use")
     subdirectory: NonEmptyStr | None = Field(None, description="A subdirectory to use in the repo")
 
 

schema/schema.json

@@ -1707,12 +1707,6 @@
       "type": "object",
       "additionalProperties": false,
       "properties": {
-        "branch": {
-          "title": "Branch",
-          "description": "A git branch to use",
-          "type": "string",
-          "minLength": 1
-        },
         "git": {
           "title": "Git",
           "description": "The git URL to the source repo",
@@ -1736,12 +1730,6 @@
           "description": "A subdirectory to use in the repo",
           "type": "string",
           "minLength": 1
-        },
-        "tag": {
-          "title": "Tag",
-          "description": "A git tag to use",
-          "type": "string",
-          "minLength": 1
         }
       }
     },