Avoid panic when re-locking with precise commit (#5863)

## Summary

Very subtle bug. The scenario is as follows:

- We resolve: `elmer-circuitbuilder = { git =
"https://github.com/ElmerCSC/elmer_circuitbuilder.git" }`

- The user then changes the request to: `elmer-circuitbuilder = { git =
"https://github.com/ElmerCSC/elmer_circuitbuilder.git", rev =
"44d2f4b19d6837ea990c16f494bdf7543d57483d" }`

- When we go to re-lock, we note two facts:

1. The "default branch" resolves to
`44d2f4b19d6837ea990c16f494bdf7543d57483d`.
2. The metadata for `44d2f4b19d6837ea990c16f494bdf7543d57483d` is
(whatever we grab from the lockfile).

- In the resolver, we then ask for the metadata for
`44d2f4b19d6837ea990c16f494bdf7543d57483d`. It's already in the cache,
so we return it; thus, we never add the
`44d2f4b19d6837ea990c16f494bdf7543d57483d` ->
`44d2f4b19d6837ea990c16f494bdf7543d57483d` mapping to the Git resolver,
because we never have to resolve it.

This would apply for any case in which a requested tag or branch was
replaced by its precise SHA. Replacing with a different commit is fine.

It only applied to `tool.uv.sources`, and not PEP 508 URLs, because the
underlying issue is that we aren't consistent about "automatically"
extracting the precise commit from a Git reference.

Closes #5860.

crates/pypi-types/src/parsed_url.rs

@@ -246,10 +246,11 @@ impl ParsedGitUrl {
         precise: Option<GitSha>,
         subdirectory: Option<PathBuf>,
     ) -> Self {
-        let mut url = GitUrl::new(repository, reference);
-        if let Some(precise) = precise {
-            url = url.with_precise(precise);
-        }
+        let url = if let Some(precise) = precise {
+            GitUrl::from_commit(repository, reference, precise)
+        } else {
+            GitUrl::from_reference(repository, reference)
+        };
         Self { url, subdirectory }
     }
 }

crates/pypi-types/src/requirement.rs

@@ -113,9 +113,9 @@ impl From<Requirement> for pep508_rs::Requirement<VerbatimParsedUrl> {
                     url,
                 } => {
                     let git_url = if let Some(precise) = precise {
-                        GitUrl::new(repository, reference).with_precise(precise)
+                        GitUrl::from_commit(repository, reference, precise)
                     } else {
-                        GitUrl::new(repository, reference)
+                        GitUrl::from_reference(repository, reference)
                     };
                     Some(VersionOrUrl::Url(VerbatimParsedUrl {
                         parsed_url: ParsedUrl::Git(ParsedGitUrl {

crates/uv-git/src/git.rs

@@ -3,8 +3,10 @@
 //! Source: <https://github.com/rust-lang/cargo/blob/23eb492cf920ce051abfc56bbaf838514dc8365c/src/cargo/sources/git/utils.rs>
 use std::fmt::Display;
 use std::path::{Path, PathBuf};
-use std::str::{self};
+use std::str::{self, FromStr};
 
+use crate::sha::GitOid;
+use crate::GitSha;
 use anyhow::{anyhow, Context, Result};
 use cargo_util::{paths, ProcessBuilder};
 use reqwest::StatusCode;
@@ -13,8 +15,6 @@ use tracing::debug;
 use url::Url;
 use uv_fs::Simplified;
 
-use crate::sha::GitOid;
-
 /// A file indicates that if present, `git reset` has been done and a repo
 /// checkout is ready to go. See [`GitCheckout::reset`] for why we need this.
 const CHECKOUT_READY_LOCK: &str = ".ok";
@@ -108,6 +108,15 @@ impl GitReference {
             Self::DefaultBranch => "default branch",
         }
     }
+
+    /// Returns the precise [`GitSha`] of this reference, if it's a full commit.
+    pub(crate) fn as_sha(&self) -> Option<GitSha> {
+        if let Self::FullCommit(rev) = self {
+            Some(GitSha::from_str(rev).expect("Full commit should be exactly 40 characters"))
+        } else {
+            None
+        }
+    }
 }
 
 impl Display for GitReference {

crates/uv-git/src/lib.rs

@@ -1,4 +1,3 @@
-use std::str::FromStr;
 use url::Url;
 
 pub use crate::git::GitReference;
@@ -26,11 +25,22 @@ pub struct GitUrl {
 }
 
 impl GitUrl {
-    pub fn new(repository: Url, reference: GitReference) -> Self {
+    /// Create a new [`GitUrl`] from a repository URL and a reference.
+    pub fn from_reference(repository: Url, reference: GitReference) -> Self {
+        let precise = reference.as_sha();
         Self {
             repository,
             reference,
-            precise: None,
+            precise,
+        }
+    }
+
+    /// Create a new [`GitUrl`] from a repository URL and a precise commit.
+    pub fn from_commit(repository: Url, reference: GitReference, precise: GitSha) -> Self {
+        Self {
+            repository,
+            reference,
+            precise: Some(precise),
         }
     }
 
@@ -77,17 +87,7 @@ impl TryFrom<Url> for GitUrl {
             url.set_path(&prefix);
         }
 
-        let precise = if let GitReference::FullCommit(rev) = &reference {
-            Some(GitSha::from_str(rev)?)
-        } else {
-            None
-        };
-
-        Ok(Self {
-            repository: url,
-            reference,
-            precise,
-        })
+        Ok(Self::from_reference(url, reference))
     }
 }
 

crates/uv-git/src/resolver.rs

@@ -71,14 +71,17 @@ impl GitResolver {
         Ok(fetch)
     }
 
-    /// Given a remote source distribution, return a precise variant, if possible.
+    /// Given a remote source distribution, return a precise variant.
     ///
     /// For example, given a Git dependency with a reference to a branch or tag, return a URL
     /// with a precise reference to the current commit of that branch or tag.
     ///
     /// This method takes into account various normalizations that are independent from the Git
     /// layer. For example: removing `#subdirectory=pkg_dir`-like fragments, and removing `git+`
     /// prefix kinds.
+    ///
+    /// Returns `Ok(None)` if the URL already has a precise reference (i.e., it includes a full
+    /// commit hash in the URL itself, as opposed to, e.g., a branch name).
     pub async fn resolve(
         &self,
         url: &GitUrl,
@@ -121,7 +124,8 @@ impl GitResolver {
     /// prefix kinds.
     ///
     /// This method will only return precise URLs for URLs that have already been resolved via
-    /// [`resolve_precise`].
+    /// [`resolve_precise`], and will return `None` for URLs that have not been resolved _or_
+    /// already have a precise reference.
     pub fn precise(&self, url: GitUrl) -> Option<GitUrl> {
         let reference = RepositoryReference::from(&url);
         let precise = self.get(&reference)?;

crates/uv-installer/src/plan.rs

@@ -241,10 +241,11 @@ impl<'a> Planner<'a> {
                     subdirectory,
                     url,
                 } => {
-                    let mut git = GitUrl::new(repository.clone(), reference.clone());
-                    if let Some(precise) = precise {
-                        git = git.with_precise(*precise);
-                    }
+                    let git = if let Some(precise) = precise {
+                        GitUrl::from_commit(repository.clone(), reference.clone(), *precise)
+                    } else {
+                        GitUrl::from_reference(repository.clone(), reference.clone())
+                    };
                     let sdist = GitSourceDist {
                         name: requirement.name.clone(),
                         git: Box::new(git),

crates/uv-requirements/src/lookahead.rs

@@ -261,10 +261,11 @@ fn required_dist(requirement: &Requirement) -> Result<Option<Dist>, distribution
             subdirectory,
             url,
         } => {
-            let mut git_url = GitUrl::new(repository.clone(), reference.clone());
-            if let Some(precise) = precise {
-                git_url = git_url.with_precise(*precise);
-            }
+            let git_url = if let Some(precise) = precise {
+                GitUrl::from_commit(repository.clone(), reference.clone(), *precise)
+            } else {
+                GitUrl::from_reference(repository.clone(), reference.clone())
+            };
             Dist::Source(SourceDist::Git(GitSourceDist {
                 name: requirement.name.clone(),
                 git: Box::new(git_url),

crates/uv-resolver/src/lock.rs

@@ -863,9 +863,11 @@ impl Distribution {
             }
             Source::Git(url, git) => {
                 // Reconstruct the `GitUrl` from the `GitSource`.
-                let git_url =
-                    uv_git::GitUrl::new(url.to_url(), GitReference::from(git.kind.clone()))
-                        .with_precise(git.precise);
+                let git_url = uv_git::GitUrl::from_commit(
+                    url.to_url(),
+                    GitReference::from(git.kind.clone()),
+                    git.precise,
+                );
 
                 // Reconstruct the PEP 508-compatible URL from the `GitSource`.
                 let url = Url::from(ParsedGitUrl {
@@ -1488,7 +1490,9 @@ impl Source {
             UrlString::from(locked_git_url(git_dist)),
             GitSource {
                 kind: GitSourceKind::from(git_dist.git.reference().clone()),
-                precise: git_dist.git.precise().expect("precise commit"),
+                precise: git_dist.git.precise().unwrap_or_else(|| {
+                    panic!("Git distribution is missing a precise hash: {git_dist}")
+                }),
                 subdirectory: git_dist
                     .subdirectory
                     .as_deref()
@@ -2205,9 +2209,11 @@ impl Dependency {
                 index: None,
             },
             Source::Git(repository, git) => {
-                let git_url =
-                    uv_git::GitUrl::new(repository.to_url(), GitReference::from(git.kind.clone()))
-                        .with_precise(git.precise);
+                let git_url = uv_git::GitUrl::from_commit(
+                    repository.to_url(),
+                    GitReference::from(git.kind.clone()),
+                    git.precise,
+                );
 
                 let parsed_url = ParsedUrl::Git(ParsedGitUrl {
                     url: git_url.clone(),