Whenever I switch branches, Xcode seems to update the originHash field in Package.resolved. I then have to tell Xcode to manually resolve packages again.
That sounds like a bug, and I can just file a bug about that.
But what I want to know is… why is the originHash changing in the first place? What does that represent? Should I be committing the value that it's trying to change to? Or should I be discarding that change?
I was wondering that as well, so I checked out apple/swift-package-manager and debugged a little.
It seems to me in the common case, originHash is little more than a SHA-256 checksum of your own Package.swift file; see for yourself by comparing it to the output of shasum -a 256 Package.swift.
In case you depend on other local packages (.package(path:)), then the checksum is taken to include their package file contents as well. (See source code for 5.10 here.)
It looks like swift package resolve (which AFAICT is roughly what Xcode also tells SwiftPM to do) doesn't normally touch your Package.resolved file if it exists. Weirdly, the command doesn't seem to care (!) whether your originHash actually matches, as can be tested by editing the pin file in a text editor and re-running the command.
But if the pin file goes missing[^1] before resolving dependencies, then that forces SwiftPM to spit out a Package.resolved JSON with a newly computed originHash. So if you're lucky and no dependencies got downgraded in the process, it may as well be that the updated originHash is actually correct after all!
[^1]: Because that's what Xcode apparently does sometimes when switching git branches.
