Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Documentation - PyPI - Sources - Issues
Git Workspace is a lightweight tool for creating and managing workspaces consisting of several interdependent git
repositories. Starting from a main repository, Git Workspace discovers dependencies specified in a manifest file, fetching any specified required repositories and assembling them into a single workspace.
👉 You can read more about the used nomenclature in the documentation.
Git Workspace is written in Python.
Please install python and then try:
curl -L https://github.com/pypa/pipx/releases/latest/download/pipx.pyz -o pipx.pyz && python3 pipx.pyz install git-ws
Maybe you need run:
python3 pipx.pyz ensurepath
pipx
If you already installed pipx
(https://pypa.github.io/pipx/installation/) just run:
pipx install git-ws
Maybe you need run:
pipx ensurepath
pip
pip install git-ws
And that's it! Ideally, if your project also uses Python, we recommend adding Git Workspace as a dependency to it as well so that you can track the exact version of it together with your other dependencies. For example, if you use poetry
, add it by running
# Add Git Workspace as a development dependency:
poetry add --group dev git-ws
For testing you can try:
git ws --version
Git Workspace is integrated into git git ws
- this is what you will be using most of the time.
Let's assume we have a project called myapp
, which requires a library mylib
that is maintained in another git
repository. In order to use this project with Git Workspace, myapp
needs to provide a so called manifest. A Git Workspace manifest is a simple TOML file - by default called git-ws.toml
in the project's root folder - which defines the dependencies a project has as well as some other meta information. A minimal manifest for our project could look like this:
[[dependencies]]
name = "mylib"
url = "git@github.com:example/mylib.git"
revision = "v2.3.4"
If myapp
and mylib
are stored on the same server (side-by-side), then the manifest can even be simpler:
[[dependencies]]
name = "mylib"
revision = "v2.3.4"
The project will be searched via a relative path (which is either ../mylib
or ../mylib.git
depending on the main repository's URL). Relative paths are in general useful as they allow using the same protocol for the main repository as well as any of its dependencies.
See the Manifest Documentation for any further details on available options.
To build a workspace from a project prepared like that, simply clone it via git ws
:
cd $HOME/Projects
git ws clone --update git@github.com:example/myapp.git
👉 Without the --update
option, only the main repository will be fetched.
The above will clone the app repository and also the library side-by-side:
ls -a myapp/
# Should print something like
.
..
.git-ws
myapp
mylib
As you can see, besides the two repositories we wanted, there is also a hidden .git-ws
folder where the tool stores the needed configuration data.
The git ws clone
documentation describes all options.
Sometimes there are use cases where using git ws clone
cannot be used. For example, when you set up your manifest for the first time or when a CI/CD system creates the initial clone of the main repository, you may need a way to fetch the remaining projects. This can be done by simply running the following within the main project:
git ws init --update
👉 As with git ws clone
, without the --update
, no dependencies will be fetched.
This command initializes the workspace and just needs to run once. Changes to the manifest require an update operation (see next section) but no re-initialization.
Another important use case is keeping a workspace up-to-date. Let's say you pull in an update in the main repository, which in turn might cause changes in the manifest to be pulled in as well. Updating the existing workspace is as simple as
# Update the workspace (main and all dependent repositories):
git ws update
# Alternatively, run `git rebase` instead of `git pull` in dependencies:
git ws update --rebase
git ws
can leave the manifest version control to any other version control system (Subversion, VCS, DesignSync, etc.).
Just manage the manifest file git-ws.toml
within the version control system of your choice.
Run git ws init --update
or git ws init --update -M path/to/git-ws.toml
in the intended workspace directory.
👉 As before, without the --update
, no dependencies will be fetched.
Inside a git clone, git ws init
uses the current git project as the main project of the workspace.
Outside a git clone, git ws init
initializes a workspace without a main project.
👉 There are just two drawbacks of a workspace without a main project:
git ws tag
has no main project to tag and will fail. Please use git ws manifest freeze
.remotes
:[[remotes]]
name = "main"
url-base = "git@github.example.com:your-group"
[[dependencies]]
name = "dep1"
remote = "main"
Please ensure a proper installation.
Lets take a clone of an example project, which does not use git ws
yet.
mkdir -p $HOME/Projects/Example-Workspace
cd $HOME/Projects/Example-Workspace
git clone https://github.com/c0fec0de/git-ws-example-one.git
# Cloning into 'git-ws-example-one'...
# remote: Enumerating objects: 3, done.
# remote: Counting objects: 100% (3/3), done.
# remote: Compressing objects: 100% (2/2), done.
# remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
# Receiving objects: 100% (3/3), done.
Now you should have one git clone in your workspace directory. Let's use it as main project.
At first, we need a manifest file git-ws.toml
.
cd git-ws-example-one
git ws manifest create
# Manifest 'git-ws.toml' created.
git add git-ws.toml
Now, we need to initialize the workspace
git ws init
# ===== . (MAIN 'git-ws-example-one') =====
# Workspace initialized at '..'.
# Please continue with:
#
# git ws update
#
The parent directory became the git ws
workspace directory .
The current git clone is the main project now.
git ws
suggests to run git ws update
.
You can try, but nothing will happen yet, as the manifest is quite empty.
Let's add our first dependency git-ws-example-lib
, which is located on the same git server.
You can manually edit the manifest file git-ws.toml
, or you just run
git ws dep add git-ws-example-lib
Feel free to inspect the git-ws.toml
file.
git ws update
will now apply the manifest changes and pull the new dependency:
git ws update
# ===== . (MAIN 'git-ws-example-one', revision='main') =====
# Pulling branch 'main'.
# Already up to date.
# ===== ../git-ws-example-lib ('git-ws-example-lib') =====
# WARNING: Clone git-ws-example-lib has no revision!
# Cloning 'https://github.com/c0fec0de/git-ws-example-lib.git'.
# Cloning into '../git-ws-example-lib'...
# remote: Enumerating objects: 3, done.
# remote: Counting objects: 100% (3/3), done.
# remote: Compressing objects: 100% (2/2), done.
# remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
# Receiving objects: 100% (3/3), done.
Please note the warning:
# WARNING: Clone git-ws-example-lib has no revision!
It is strongly recommended to specify a default revision for all dependencies. The command
git ws default revision main
solves that for you. Any successive git ws update
is now free of this warning:
===== . (MAIN 'git-ws-example-one', revision='main') =====
Pulling branch 'main'.
Already up to date.
===== ../git-ws-example-lib ('git-ws-example-lib', revision='main') =====
Pulling branch 'main'.
Already up to date.
Now you can add, commit and push your changes to the git-ws.toml
file.
Other colleagues should use now:
cd $HOME/Projects
git ws clone --update YOUR-REPO-URL
# OR
cd $HOME/Projects/Workspace
git clone YOUR-REPO-URL
cd <directory>
git ws init --update
git ws status
shows all changes within all git clones in the workspace.
git ws add
runs likewise the git add
operation in the associated git clones.
Please see the next section for an overview of all commands.
Command | Description |
---|---|
git ws clone URL | Clone git repository from URL as main repository and initialize Git Workspace |
git ws init (inside a git clone) | Initialize Git Workspace at parent directory. Use current git clone as main repository |
git ws init (outside a git clone) | Initialize Git Workspace at current directory. No main repository. |
git ws manifest create | Create well documented, empty manifest |
Command | Description |
---|---|
git ws update | Pull latest changes on main repository and all dependent repositories (clone them if needed) |
git ws update --rebase | Same as above, but fetch and rebase instead of pull |
git ws status | Run git status on all repositories (displayed paths include the current clone path) |
git ws add FILES | Run git add FILE on FILES in the corresponding repositories |
git ws reset FILES | Run git reset FILE on FILES in the corresponding repositories. Undo git add |
git ws commit FILES -m MESSAGE | Run git commit FILE on FILES in the corresponding repositories |
git ws commit -m MESSAGE | Run git commit repositories with changes |
git ws checkout FILES | Run git checkout FILE on FILES in the corresponding repositories |
git ws checkout | Checkout git revision specified as in the manifest(s) (clone them if needed) |
Command | Description |
---|---|
git ws push | Run git push on all repositories (in reverse order) |
git ws fetch | Run git fetch on all repositories |
git ws rebase | Run git rebase on all repositories |
git ws pull | Run git pull on all repositories |
git ws diff | Run git diff on all repositories |
git ws git CMD | Run git CMD on all repositories |
git ws foreach CMD | Run CMD on all repositories |
Command | Description |
---|---|
git ws dep update -r | Update all manifest files, use current checkout branch, tag or SHA as revision , use current remote origin as url , try to use relative URLs. |
git ws manifest freeze | Print The Resolved Manifest With SHAs For All Project Revisions. |
git ws manifest path | Print Path to Main Manifest File. |
git ws manifest paths | Print Paths to ALL Manifest Files. |
git ws manifest resolve | Print The Manifest With All Projects And All Their Dependencies. |
git ws manifest upgrade | Update Manifest To Latest Version. |
git ws manifest validate | Validate The Current Manifest, Exiting With An Error On Issues. |
git ws info main-path | Print Path to Main Git Clone. |
git ws info project-paths | Print Paths to all git clones. |
git ws info workspace-path | Print Path to Workspace. |
git ws info dep-tree | Print Dependency Tree. |
git ws info dep-tree --dot | dot -Tpng > dep-tree.png | Draw Dependency Diagram (needs graphviz) |
See the command-line interface documentation for any further details.
Git Workspace is written in Python. Besides the git ws
command line tool, there is also an API which you can use to further automate workspace creation and maintenance. If you are interested, have a look into the API documentation.
Before writing Git Workspace, we investigated several other existing tools in the hope they would fulfil our needs. In particular, we looked into the following tools and methodologies which are widely used to organize large projects:
git submodules
.west
tool developed in the scope of Zephyr.git
domain, one can also use a package manager like conan
.Unfortunately, none of the tools we tested really satisfied us. But hey, as we are developers - why not start our own tool for the purpose?
And that's what we did - Git Workspace is our tool for managing a large workspace consisting of several smaller git
projects. Here is how it compares to the other tools we evaluated:
git submodules | repo | west | Monorepos | git ws | |
---|---|---|---|---|---|
Reusable Components | ✅ | ✅ | ✅ | ➖ | ✅ |
Ease of Use | ➖ | ✅ | ✅ | ✅ | ✅ |
Editable Components | ➖ | ✅ | ➖ | ✅ | ✅ |
Freezing Configurations | ✅ | ✅ | ✅ | ✅ | ✅ |
Transitive Dependencies | ➖ | ➖ | ✅ | ➖ | ✅ |
Relative Dependency Paths | ✅ | ✅ | ➖ | ➖ | ✅ |
Branches in dependencies | ➖ | ✅ | ✅ | ➖ | ✅ |
Symlink/Copyfile-Support | ➖ | ✅ | ➖ | ➖ | ✅ |
👉 Please note that our view on the various features might be biased. As we did, always look at all the options available to you before deciding on one tool or the other. While the other tools in comparison did not model what we needed for our workflow, they might just be what you are looking for.
If you want to learn more, have a look into Why We Started Git Workspace.
FAQs
Git Workspace - Multi Repository Management Tool
We found that git-ws demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.