fix(gnovm): fix private package re-upload issue (#4871)

[vikbez]

Fixed incorrect operation order preventing re-upload of edited private packages.
Also added a test case for this scenario.

[Gno2D2]

🛠 PR Checks Summary

All Automated Checks passed. ✅

Manual Checks (for Reviewers):

• IGNORE the bot requirements for this PR (force green CI check)
• The pull request description provides enough details (checked by @thehowl)

Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

🟢 Maintainers must be able to edit this pull request (more info)
🟢 Pending initial approval by a review team member, or review from tech-staff

☑️ Contributor Actions:

1. Fix any issues flagged by automated checks.
2. Follow the Contributor Checklist to ensure your PR is ready for review.
   • Add new tests, or document why they are unnecessary.
   • Provide clear examples/screenshots, if necessary.
   • Update documentation, if required.
   • Ensure no breaking changes, or include BREAKING CHANGE notes.
   • Link related issues/PRs, where applicable.

☑️ Reviewer Actions:

1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.

📚 Resources:

• Report a bug with the bot.
• View the bot’s configuration file.

Debug

Automated Checks

Maintainers must be able to edit this pull request (more info)

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 The pull request was created from a fork (head branch repo: vikbez/gno)

Then

🟢 Requirement satisfied
└── 🟢 Maintainer can modify this pull request

Pending initial approval by a review team member, or review from tech-staff

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 Not (🔴 Pull request author is a member of the team: tech-staff)

Then

🟢 Requirement satisfied
└── 🟢 If
    ├── 🟢 Condition
    │   └── 🟢 Or
    │       ├── 🔴 At least one of these user(s) reviewed the pull request: [jefft0 leohhhn n0izn0iz notJoon omarsy x1unix] (with state "APPROVED")
    │       ├── 🟢 At least 1 user(s) of the team tech-staff reviewed pull request
    │       └── 🔴 This pull request is a draft
    └── 🟢 Then
        └── 🟢 Not (🔴 This label is applied to pull request: review/triage-pending)

Manual Checks

**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

• Any user with comment edit permission

The pull request description provides enough details

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 Not (🔴 Pull request author is a member of the team: core-contributors)
    └── 🟢 Not (🔴 Pull request author is user: dependabot[bot])

Can be checked by

• team core-contributors

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[mvertes]

The general idea is ok, but extra care must be taken to not introduce a vulnerability.

[vikbez]

@thehowl does the test you mention for function and method signatures are already here ?

I added the basic tests for private packages by creating addpkg_private_basic.txtar - but maybe it would be better to rename addpkg_private.txtar to addpkg_private_references.txtar and have the basic checks for the feature in addpkg_private.txtar.

I reverted the operations order, and used pv.Private instead of gm.Private.

I also added checks that prevents overwriting a public package with a private one and vice-versa, but let me know if you want me to remove that one as private > public may be a wanted feature to have.

Also, thanks everyone for the reviews :)

[moul]

LGTM, but we need to ensure that private packages cannot persist local objects or types in other realms. This way, replacing a package won't brick another one. I believe @MikaelVallenet handled this. Cc @thehowl.

[MikaelVallenet]

LGTM, but we need to ensure that private packages cannot persist local objects or types in other realms. This way, replacing a package won't brick another one. I believe @MikaelVallenet handled this. Cc @thehowl.

I did, should be OK

[MikaelVallenet]

i think #4949 and this PR should be one PR.
otherwise looks good to me & i agree that we can enable the possibility of transition from private -> public later