fix(resolve): Prevent submodule deletion

[dkattan]

Summary

This PR is now scoped to the submodule-preservation fix in resolve/edit mode. The recovery guidance/UI changes and overwrite diagnostics that were previously on this branch have been split out.

What changed

• Added shared helpers in gitbutler-workspace::submodules to detect configured submodules, identify submodule-related paths, and remove untracked files without deleting populated submodule worktrees.
• Updated update_uncommitted_changes_with_tree(...) to stop using broad remove_untracked(true) cleanup and instead perform targeted cleanup via remove_untracked_excluding_submodule_paths(...).
• Updated edit-mode enter/abort flows to preserve submodule worktrees during checkout/cleanup, keep the index in sync after forced cleanup, and surface a clearer forced-abort error when submodule/gitlink changes would be reverted.
• Added regression coverage for submodule detection, targeted cleanup, and edit-mode save/abort behavior with populated, dirty, and diverged submodule worktrees.

Key files touched

• crates/gitbutler-workspace/src/submodules.rs
• crates/gitbutler-workspace/src/branch_trees.rs
• crates/gitbutler-workspace/src/lib.rs
• crates/gitbutler-edit-mode/src/lib.rs
• crates/gitbutler-edit-mode/tests/edit_mode.rs
• crates/gitbutler-edit-mode/tests/fixtures/edit_mode.sh
• crates/gitbutler-workspace/Cargo.toml
• Cargo.lock

Validation run

• cargo test -p gitbutler-edit-mode -p gitbutler-workspace

[vercel]

@dkattan is attempting to deploy a commit to the GitButler Team on Vercel.

A member of the Team first needs to authorize it.

[Copilot]

Pull request overview

This PR fixes a bug where submodule working trees could be left empty after resolving conflicts in edit mode via but resolve finish. The fix adds best-effort repopulation of existing submodules after workspace checkout operations.

Changes:

• Adds repopulate_existing_submodules() helper that runs git submodule update --init --recursive after checkout operations
• Calls this helper in both git2-based and gix-based checkout paths within update_uncommitted_changes_with_tree()
• Adds regression test proving submodule files remain present after save_and_return_to_workspace()

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
crates/gitbutler-workspace/src/branch_trees.rs	Implements repopulate_existing_submodules() and integrates it into checkout operations
crates/gitbutler-edit-mode/tests/fixtures/edit_mode.sh	Adds test fixture with submodule setup
crates/gitbutler-edit-mode/tests/edit_mode.rs	Adds test verifying submodule repopulation works correctly

[Copilot]

The command execution uses .status() but ignores the result completely with let _ = .... While the comment mentions "best-effort" behavior, there's no logging when the command fails, which could make debugging issues difficult. Consider adding tracing/logging on failure to help diagnose submodule repopulation issues in production, similar to patterns in but-worktrees/src/git.rs where output is logged with tracing::info! and tracing::error!.

[Copilot]

The code should use std::process::Command::from(gix::command::prepare(gix::path::env::exe_invocation())) instead of Command::new("git") to follow the codebase's established pattern for git command execution. The gix::command::prepare() wrapper handles platform-specific concerns (especially on Windows) and proper environment setup, which is particularly important for submodule operations that may need access to the git configuration.

Suggested change

	let _ = Command::new("git")
	.arg("-c")
	.arg("protocol.file.allow=always")
	.arg("submodule")
	.arg("update")
	.arg("--init")
	.arg("--recursive")
	.current_dir(workdir)
	.status();
	let _ = Command::from(gix::command::prepare(
	gix::path::env::exe_invocation(),
	))
	.arg("-c")
	.arg("protocol.file.allow=always")
	.arg("submodule")
	.arg("update")
	.arg("--init")
	.arg("--recursive")
	.current_dir(workdir)
	.status();

[dkattan]

Addressed the Copilot review feedback in follow-up commits:

• switched git invocation to the codebase pattern: Command::from(gix::command::prepare(gix::path::env::exe_invocation()))
• added tracing logs for submodule repopulation outcomes (success/failure/error)
• added corresponding lockfile update for the new tracing dependency

Validation rerun: cargo test -p gitbutler-edit-mode --test edit_mode (passes).

[Copilot]

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated no new comments.

[Caleb-T-Owens]

Hi! Thanks for submitting this PR.

Please can you sign your PR's commits.

---

It's an interesting question whether we want to manually restore submodules like this. I'm not super familiar with with submodules so I'm hoping you can help me understand some of the following questions:

Does it always make sense to do a --recursive type update? Are there user setups where this could actually be destructive or undesirable?

What is git's behaviour after a checkout with submodules - can we mirror that exactly?

---

I'm also curious about your reasoning to add this call in the branch_trees.rs file. If your scope is to just target edit mode - should we have the calls specifically be in the edit mode code?

Otherwise, is this a sustainable approach to trying to better support submodules? Are there downsides to calling this after every update of HEAD?

If we do want to take this as a more wide-spread approach of maintaining submodules, could you help me understand how this fits into the current state of play with our submodule support.

Many thanks, Caleb

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

[Copilot]

PR description mentions a new repopulate_existing_submodules helper (and running git submodule update --init --recursive via Command) in this file, but the actual change here only disables remove_untracked(true) when submodules are detected. Either update the PR description to match the implemented approach, or add the missing repopulation helper if that behavior is still required (e.g., to recover already-empty submodule worktrees).

[Copilot]

is_submodule_related_path() treats the submodule root path itself as “submodule-related” (path == sm), so collect_checkout_paths() will exclude gitlink changes for that submodule. As a result, entering edit mode can silently skip commits that add/remove/modify submodule entries (or change only the submodule pointer), because the checkout pathspec will be empty and the checkout is skipped. Consider only excluding paths inside submodules (e.g., sm/…) while still allowing the submodule root path so the superproject’s gitlink entry is updated.

Suggested change

	.any(|sm| path == sm || path.strip_prefix(sm).is_some_and(|rest| rest.starts_with('/')))
	.any(|sm| path.strip_prefix(sm).is_some_and(|rest| rest.starts_with('/')))

[Copilot]

has_submodules_configured() is duplicated here and in crates/gitbutler-workspace/src/branch_trees.rs with identical logic. To avoid the two copies drifting (and to keep submodule detection consistent across workspace checkouts and edit-mode operations), consider extracting this into a shared utility (e.g., a small helper module in gitbutler-workspace or a common crate) and reusing it from both locations.

Suggested change

	let Ok(mut entries) = config.entries(Some("submodule\\..*\\.url")) else {
	return repo
	.path()
	.join("modules")
	.read_dir()
	.map(|mut it| it.next().is_some())
	.unwrap_or(false);
	};
	entries.next().transpose().ok().flatten().is_some()
	|| repo
	.path()
	.join("modules")
	.read_dir()
	.map(|mut it| it.next().is_some())
	.unwrap_or(false)
	let modules_root = repo.path().join("modules");
	let modules_dir_has_entries = modules_root
	.read_dir()
	.map(|mut it| it.next().is_some())
	.unwrap_or(false);
	let Ok(mut entries) = config.entries(Some("submodule\\..*\\.url")) else {
	return modules_dir_has_entries;
	};
	entries
	.next()
	.transpose()
	.ok()
	.flatten()
	.is_some()
	|| modules_dir_has_entries

[dkattan]

@Caleb-T-Owens
I've now updated the implementation and force-pushed as a single signed commit (bad49bc2). The current approach no longer runs git submodule update --init --recursive. The approach now is to prevent the submodule deletion in the first place rather than attempt to fix it whenever it happened.

What changed:

• scoped behavior to edit-mode checkout transitions using path-filtered checkout in gitbutler-edit-mode/src/lib.rs
• kept branch_trees.rs changes because save_and_return_to_workspace still goes through update_uncommitted_changes_with_tree, so this remains on the edit-mode lifecycle path
• deduped has_submodules_configured into gitbutler-workspace/src/submodules.rs and reused it from both call-sites
• updated PR description to match this implementation

On your sustainability questions: I agree broad recursive submodule updates after every HEAD movement are too risky/surprising. This revision avoids that and keeps the fix narrowly targeted to preventing destructive checkout behavior in the edit-mode flow covered by the regression test.

Human edit: Apologies for the AI slop in the responses. Should be cleaned up now. I swear I'm a human.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

[Copilot]

The test only verifies that the submodule worktree file exists after entering and leaving edit mode, but it doesn't verify that the submodule is still properly configured and functional. Consider adding assertions to check that the submodule can still be updated or that its git state is intact (e.g., checking that submodules/test-module/.git exists and is valid).

[Copilot]

The error from submodule.update() is silently ignored with let _ =. While this might be intentional to prevent submodule update failures from blocking the main operation, it means users won't be notified if submodules fail to update. Consider logging the error at least at the debug or warn level so that users and developers can diagnose submodule issues. For example: if let Err(e) = submodule.update(true, None) { tracing::warn!("Failed to update submodule: {}", e); }

[Copilot]

When has_submodules is true but checkout_head_paths is empty (meaning all changed paths are submodule-related), the checkout is skipped entirely. This is correct and preserves the worktree state. However, consider whether HEAD update (repo.set_head(EDIT_BRANCH_REF)) should still proceed even when there's nothing to checkout. The current implementation updates HEAD before the checkout decision, which seems correct, but it's worth documenting this intentional behavior with a comment explaining why skipping checkout is safe when all paths are submodule-related.

Suggested change

	}
	}
	// When `has_submodules` is true and `checkout_head_paths` is empty,
	// all changes are submodule-related. In that case we intentionally
	// skip `checkout_head` after updating HEAD above. This preserves the
	// existing worktree (including submodules), which may be managed
	// independently, while still moving HEAD to `EDIT_BRANCH_REF`.

[Copilot]

This code has an unnecessary wrapper pattern. The closure returns Result<()>, which is immediately bound to result, and then result is returned unchanged. This pattern doesn't add any value and makes the code less readable. The closure body should either be inlined directly, or if error context needs to be added, use .context() instead of this pattern.

[Copilot]

The recursive directory traversal doesn't distinguish between actual Git submodule repositories and other directories that happen to contain a HEAD file. A directory with just a HEAD file isn't necessarily a valid Git repository or submodule. Consider checking for additional indicators of a valid Git repository (like config, refs, or objects directories) to avoid false positives. Also, this implementation will traverse into subdirectories indefinitely, which could be a performance issue in repositories with deeply nested module structures.

[dkattan]

Addressed Copilot feedback on PR/body mismatch by updating the PR description to match the current implementation (path-filtered checkout behavior, guarded remove_untracked usage, shared submodule detection helper, and targeted configured-submodule sync).

[Byron]

Thanks @dkattan. Could you also hit the resolve button for everything you addressed, or comment on it before resolving if it wasn't addressed? Lastly, the PR needs rebasing due to conflicts, and I am putting it back to draft now so you can put it back in 'ready for review' when it's truly ready.
CI fails too.

[dkattan]

@copilot please review this PR.

[Byron]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ce81c5410a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve commit-accurate gitlinks when building checkout paths

Filtering out submodule paths here means the subsequent edit-mode checkouts never apply gitlink entries from commit_parent -> commit. In repositories where the currently checked-out workspace head has a newer submodule pointer (for example, editing a non-tip commit after a later commit changed the same submodule), the edit branch keeps that newer gitlink and save_and_return_to_workspace can silently rewrite the edited commit with the wrong submodule SHA.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Propagate failures when deleting untracked paths

This cleanup routine discards filesystem deletion errors, so callers get Ok(()) even when untracked files could not be removed (e.g., read-only or permission-denied paths). That leaves the worktree in an unexpected state after forced cleanup and can leak files into later operations such as index.add_all("*") during save-from-edit-mode. Returning the I/O error would prevent silent corruption of subsequent steps.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated 4 comments.

[Copilot]

collect_submodule_paths_from_modules_dir() uses repo.path().join("modules"), but in linked-worktree repositories the common git dir (where modules/ lives) may differ from repo.path(). Consider using the repository common dir (e.g. repo.commondir() in libgit2/git2-rs) so submodule detection still works in linked worktrees and you don't fall back to the unsafe broad cleanup behavior.

Suggested change

	let modules_root = repo.path().join("modules");
	let modules_root = repo.commondir().join("modules");

[Copilot]

remove_untracked_excluding_submodule_paths() ignores errors from remove_dir_all/remove_file. That can silently leave untracked files behind (e.g. permission issues) and make later operations behave unpredictably. Prefer returning an error with context for failures other than NotFound, and only suppress errors you explicitly want to treat as best-effort.

[Copilot]

configured_submodule_paths(repo) is computed here only to decide whether to call remove_untracked(true), but when submodule_paths is non-empty you then call remove_untracked_excluding_submodule_paths(repo), which recomputes configured_submodule_paths() internally. Consider changing remove_untracked_excluding_submodule_paths to accept the already-computed list (or adding an internal helper) to avoid repeated filesystem/config scanning on each checkout.

[Copilot]

is_submodule_related_path() assumes Git-style / path separators (rest.starts_with('/')), but configured_submodule_paths() builds paths via Path::to_string_lossy() (from repo.submodules() and .git/modules scanning), which will produce \ on Windows. That can cause submodule paths to not match, re-enabling submodule worktree deletion on Windows. Normalize paths to a single separator (e.g. convert \→/ in both path and each sm before comparisons, or store submodule paths as normalized Git paths when collecting).