Avoid panic when re-locking with precise commit (#5863)

## Summary

Very subtle bug. The scenario is as follows:

- We resolve: `elmer-circuitbuilder = { git =
"https://github.com/ElmerCSC/elmer_circuitbuilder.git" }`

- The user then changes the request to: `elmer-circuitbuilder = { git =
"https://github.com/ElmerCSC/elmer_circuitbuilder.git", rev =
"44d2f4b19d6837ea990c16f494bdf7543d57483d" }`

- When we go to re-lock, we note two facts:

1. The "default branch" resolves to
`44d2f4b19d6837ea990c16f494bdf7543d57483d`.
2. The metadata for `44d2f4b19d6837ea990c16f494bdf7543d57483d` is
(whatever we grab from the lockfile).

- In the resolver, we then ask for the metadata for
`44d2f4b19d6837ea990c16f494bdf7543d57483d`. It's already in the cache,
so we return it; thus, we never add the
`44d2f4b19d6837ea990c16f494bdf7543d57483d` ->
`44d2f4b19d6837ea990c16f494bdf7543d57483d` mapping to the Git resolver,
because we never have to resolve it.

This would apply for any case in which a requested tag or branch was
replaced by its precise SHA. Replacing with a different commit is fine.

It only applied to `tool.uv.sources`, and not PEP 508 URLs, because the
underlying issue is that we aren't consistent about "automatically"
extracting the precise commit from a Git reference.

Closes https://github.com/astral-sh/uv/issues/5860.

crates/uv-git/src/git.rs

@@ -3,8 +3,10 @@
 //! Source: <https://github.com/rust-lang/cargo/blob/23eb492cf920ce051abfc56bbaf838514dc8365c/src/cargo/sources/git/utils.rs>
 use std::fmt::Display;
 use std::path::{Path, PathBuf};
-use std::str::{self};
+use std::str::{self, FromStr};
 
+use crate::sha::GitOid;
+use crate::GitSha;
 use anyhow::{anyhow, Context, Result};
 use cargo_util::{paths, ProcessBuilder};
 use reqwest::StatusCode;
@@ -13,8 +15,6 @@ use tracing::debug;
 use url::Url;
 use uv_fs::Simplified;
 
-use crate::sha::GitOid;
-
 /// A file indicates that if present, `git reset` has been done and a repo
 /// checkout is ready to go. See [`GitCheckout::reset`] for why we need this.
 const CHECKOUT_READY_LOCK: &str = ".ok";
@@ -108,6 +108,15 @@ impl GitReference {
             Self::DefaultBranch => "default branch",
         }
     }
+
+    /// Returns the precise [`GitSha`] of this reference, if it's a full commit.
+    pub(crate) fn as_sha(&self) -> Option<GitSha> {
+        if let Self::FullCommit(rev) = self {
+            Some(GitSha::from_str(rev).expect("Full commit should be exactly 40 characters"))
+        } else {
+            None
+        }
+    }
 }
 
 impl Display for GitReference {

crates/uv-git/src/lib.rs

@@ -1,4 +1,3 @@
-use std::str::FromStr;
 use url::Url;
 
 pub use crate::git::GitReference;
@@ -26,11 +25,22 @@ pub struct GitUrl {
 }
 
 impl GitUrl {
-    pub fn new(repository: Url, reference: GitReference) -> Self {
+    /// Create a new [`GitUrl`] from a repository URL and a reference.
+    pub fn from_reference(repository: Url, reference: GitReference) -> Self {
+        let precise = reference.as_sha();
         Self {
             repository,
             reference,
-            precise: None,
+            precise,
+        }
+    }
+
+    /// Create a new [`GitUrl`] from a repository URL and a precise commit.
+    pub fn from_commit(repository: Url, reference: GitReference, precise: GitSha) -> Self {
+        Self {
+            repository,
+            reference,
+            precise: Some(precise),
         }
     }
 
@@ -77,17 +87,7 @@ impl TryFrom<Url> for GitUrl {
             url.set_path(&prefix);
         }
 
-        let precise = if let GitReference::FullCommit(rev) = &reference {
-            Some(GitSha::from_str(rev)?)
-        } else {
-            None
-        };
-
-        Ok(Self {
-            repository: url,
-            reference,
-            precise,
-        })
+        Ok(Self::from_reference(url, reference))
     }
 }
 

crates/uv-git/src/resolver.rs

@@ -71,7 +71,7 @@ impl GitResolver {
         Ok(fetch)
     }
 
-    /// Given a remote source distribution, return a precise variant, if possible.
+    /// Given a remote source distribution, return a precise variant.
     ///
     /// For example, given a Git dependency with a reference to a branch or tag, return a URL
     /// with a precise reference to the current commit of that branch or tag.
@@ -79,6 +79,9 @@ impl GitResolver {
     /// This method takes into account various normalizations that are independent from the Git
     /// layer. For example: removing `#subdirectory=pkg_dir`-like fragments, and removing `git+`
     /// prefix kinds.
+    ///
+    /// Returns `Ok(None)` if the URL already has a precise reference (i.e., it includes a full
+    /// commit hash in the URL itself, as opposed to, e.g., a branch name).
     pub async fn resolve(
         &self,
         url: &GitUrl,
@@ -121,7 +124,8 @@ impl GitResolver {
     /// prefix kinds.
     ///
     /// This method will only return precise URLs for URLs that have already been resolved via
-    /// [`resolve_precise`].
+    /// [`resolve_precise`], and will return `None` for URLs that have not been resolved _or_
+    /// already have a precise reference.
     pub fn precise(&self, url: GitUrl) -> Option<GitUrl> {
         let reference = RepositoryReference::from(&url);
         let precise = self.get(&reference)?;