Respect renv lockfiles

[hadley]

@aronatkins and @kevinushey: this is still an early draft, but I thought it would be useful to get some feedback now that I've put a couple of hours into it. It still needs a bunch of testing, and I doubt i have all the details of the renv -> packrat translation are fully correct yet, but this overall this feels like a solid approach to me. What do you think?

Fixes #671. Fixes #809.

[aronatkins]

Could we renv->manifest rather than renv->packrat->manifest?

[hadley]

I'm still fighting some buglet with BioC packages. In a project that uses Biobase, I get the following error:

# Installing required R packages with `packrat::restore()` ---------------------
Installing BiocGenerics (0.44.0) ... 
Using cached BiocGenerics.
	OK (symlinked cache)
Installing BiocManager (1.30.18) ... 
Using cached BiocManager.
	OK (symlinked cache)
Installing BiocVersion (3.16.0) ... 
curl: HTTP 200 https://bioconductor.org/packages/3.16/data/annotation/src/contrib/PACKAGES.rds
curl: HTTP 200 https://bioconductor.org/packages/3.16/data/experiment/src/contrib/PACKAGES.rds
curl: HTTP 200 https://bioconductor.org/packages/3.16/bioc/src/contrib/PACKAGES.rds
curl: HTTP 200 https://bioconductor.org/packages/3.16/workflows/src/contrib/PACKAGES.rds
curl: HTTP 200 https://colorado.posit.co/rspm/all/latest/src/contrib/PACKAGES.rds
curl: HTTP 404 https://bioconductor.org/packages/3.16/data/annotation/src/contrib/Archive/BiocVersion/BiocVersion_3.16.0.tar.gz
curl: (22) The requested URL returned error: 404 Not Found
curl: HTTP 404 https://bioconductor.org/packages/3.16/data/annotation/src/contrib/Archive/BiocVersion/BiocVersion_3.16.0.tar.gz

The manifest looks ok to me:

    "BiocVersion": {
      "Package": "BiocVersion",
      "Version": "3.16.0",
      "Source": "Bioconductor",
      "Repository": "https://bioconductor.org/packages/3.16/bioc",

I suspect there's some small mistake that will hopefully be obvious when I look at it on Monday.

[hadley]

BioC install problem was caused by colorado only having 4.1 installed. Works on rstudioservices.

[toph-allen]

In general, I think this change makes sense, especially because packrat is itself using a vendored version of renv to snapshot dependencies.

It seems like a lot of the complexity here is within the blocks that standardize the different ways packrat, renv, and pak record package metadata, as well as assumptions they make about packages that aren't just structural differences (and how these have evolved over time). I appreciate having links to the relevant source in the comments. (The one that stood out to me was the check for isDevVersion()).

The Bitbucket name capitalization is the only required change I noticed. But I only noticed it because I spent long enough with Bitbucket when I was implementing support for restoring those packages in Connect. We'll probably want to do some real-world tire-kicking of those sorts of scenarios in case there are other small things like that we missed. Either that or build out more examples in tests.

[aronatkins]

Some questions about package+repository handling, but this is probably far enough along to merge and get folks to start actively using it.

[aronatkins]

Do you think that folks will need an explicit snapshot type for deploys and another snapshot type for all other workflows? Put another way: Do we need a way to toggle the snapshot type just for deploys?

[kevinushey]

renv::snapshot() does accept a type argument so this would be straightforward to wire up, at least.

[hadley]

My sense is that once we enable support for renv lockfile, we'll get quite a few feature requests so we might as well just let them accumulate for a while to get a sense for what people actually want, rather than doing too much prospectively.

[aronatkins]

The renv/settings.json isn't included; does this mean that a snapshot.type set in a previous session will not be available?

[hadley]

Yes, but I don't think that should matter because the settings only really affect interactive usage, and the consequence of those settings will be encoded in the lockfile.

[aronatkins]

The recommendation to use renv::settings$snapshot.type("explicit") presents a challenge, then, if we expect folks to set that ahead of each deploy operation but do so in a way that does not modify their existing renv project settings. What is your suggested workflow?

[aronatkins]

nit: This is an internal source reference.

[aronatkins]

Does this cause renv.lock to be included in the bundle?

[hadley]

Yes; that's necessary so that we can process it in bundlePackages(). Do you foresee a problem with including this in the deployed bundle? If so, I can delete. (But I think you could also renv::restore() directly from that file without having to convert the manifest back into a packrat spec).

[aronatkins]

I am torn on this one.

On the one hand, including only the manifest.json in the bundle is quite nice because it means we have a single source-of-truth. Folks have been confused by the presence of both manifest.json and packrat.lock in our bundles, as well as the relationship between the two (and duplication of information).

On the other hand, I like including the renv.lock, as it gives us a future option of directly using that file without reconstructing it from the manifest.

Mostly, my struggle is that I had thought about this change as "manifest-only, no packrat.lock" rather than "manifest plus renv.lock; except when we create the renv.lock on the fly".

Let's go forward with the (sometimes) inclusion, but probably document the change.

[hadley]

It feels like it would be a bit more consistent to include lock file, even when we generate it? I'm currently explicitly deleting it, but it seems reasonable to remove that code and preserve the lock file.

[aronatkins]

A generated lock file isn't on the set of "bundle files" that was computed much earlier in the workflow... I'm OK either way, but if we do include a generated lock file, let's include it only when we have tracked dependencies (e.g. not for static).

[aronatkins]

nit: during restore, renv first favors a matching repository name before falling back to "any" repository. not sure if we want that same pattern here or want to rely available.packages order like we do for Packrat.

Maybe this is: prefer the Repository named in renv.lock and prefer available.packages for snapshots.

Also worth considering: Should we prefer the renv.lock repository list or the list in the current R session?

https://github.com/rstudio/renv/blob/81fecb07fcc78cabb61b5309875e59484727b090/R/retrieve.R#L875-L880

[kevinushey]

Overall LGTM!

[kevinushey]

Not sure if you need it for this PR, but if you'd like to depend on renv internals without risking breakage from new renv releases, you can also use renv::embed() to embed a local copy of renv here.

[aronatkins]

Related thought: Do we need a version constraint on renv?

[hadley]

We don't need to embed because we're only using exported functions so far, but will keep it in mind for the future.

I've add a requirement for the latest version from CRAN.

[kevinushey]

renv::snapshot() does accept a type argument so this would be straightforward to wire up, at least.

[kevinushey]

Should we also detect whether the trailing version component is "large"? In case a local version is 1.0.0-9000 but CRAN has 1.0.1?

[hadley]

That's not a version used by every package, so I worry that would dilute the impact of this change.

[hadley]

I think this is done, and I've finally managed to knock of the CI failure. Unless anyone spots any problems, I'll aim to merge tomorrow.

[toph-allen]

Looked through the changes since my last review, and they all look good.