Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gomod: Bumping a dependency that sets "go 1.21" in their go.mod sets "toolchain 1.21" in mine #7868

Closed
1 task done
antifuchs opened this issue Aug 22, 2023 · 5 comments · Fixed by #7884
Closed
1 task done

gomod: Bumping a dependency that sets "go 1.21" in their go.mod sets "toolchain 1.21" in mine #7868

antifuchs opened this issue Aug 22, 2023 · 5 comments · Fixed by #7884
Assignees
@jakecoffman
Labels
good first issue L: go:modules Golang modules T: bug 🐞 Something isn't working

Comments

@antifuchs
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

gomod

Package manager version

1.20

Language version

1.20

Manifest location and content before the Dependabot update

go.mod. Link to original module file: https://github.com/boinkor-net/tsnsrv/blob/469a5104d7914816d185fec37a031cc47b67f032/go.mod

dependabot.yml content

https://github.com/boinkor-net/tsnsrv/blob/469a5104d7914816d185fec37a031cc47b67f032/.github/dependabot.yml

Updated dependency

"tailscale" from v1.46.1 to v1.48.1

What you expected to see, versus what you actually saw

I was expecting this PR to only contain the version bump; however, it also added this line: https://github.com/boinkor-net/tsnsrv/pull/25/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R4

in diff form:

diff --git a/go.mod b/go.mod
index a6d61d9..73b1321 100644
--- a/go.mod
+++ b/go.mod
@@ -1,13 +1,14 @@
 module github.com/antifuchs/tsnsrv
 
 go 1.20
+toolchain go1.21.0
 
 require (
 	github.com/peterbourgon/ff/v3 v3.4.0
 	github.com/prometheus/client_golang v1.16.0
 	github.com/stretchr/testify v1.8.4
-	golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53
-	tailscale.com v1.46.1
+	golang.org/x/exp v0.0.0-20230725093048-515e97ebf090
+	tailscale.com v1.48.1
 )
 
 require (
@@ -32,6 +33,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/coreos/go-iptables v0.6.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dblohm7/wingoes v0.0.0-20230803162905-5c6286bb8c6e // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect

note the "toolchain" line that directly contradicts the go line above it. Go 1.20 does not understand the "toolchain" keyword, and so the resulting PR build fails.

(aside, yep, apparently it's fine to link the tailscale library into a go 1.20 library, but yeah, I should upgrade that version as soon as my toolchain supports it.)

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Find the PR at boinkor-net/tsnsrv#25

Smallest manifest that reproduces the issue

No response
@antifuchs antifuchs added the T: bug 🐞 Something isn't working label Aug 22, 2023
@antifuchs antifuchs changed the title gomod: Bumping a dependency that sets "toolchain" in their go.mod sets it in mine gomod: Bumping a dependency that sets "go 1.21" in their go.mod sets "toolchain 1.21" in mine Aug 22, 2023
@jakecoffman jakecoffman added the L: go:modules Golang modules label Aug 22, 2023
@jakecoffman
Copy link
Member

Thanks for reporting this, looks like we need to set GOTOOLCHAIN to the version specified in the go.mod.

@jakecoffman jakecoffman mentioned this issue Aug 23, 2023
Merged
@jakecoffman jakecoffman self-assigned this Aug 23, 2023
@jakecoffman
Copy link
Member

@antifuchs should be working now if you want to give that PR a @dependabot recreate comment and try it out.

@antifuchs
Copy link
Author

OK, that looks far more reasonable! Confirmed that it's the expected result, thank you (:

@2opremio 2opremio mentioned this issue Oct 23, 2023
Merged
@spencerschrock
Copy link

I'm seeing this toolchain insertion behavior happening again, this time with 1.22:
ossf/scorecard#3928

go 1.21.5
+toolchain go1.22.1

I can open a separate issue if preferred, but was trying to avoid duplicates

@janisz
Copy link

janisz commented Apr 3, 2024

I created a PR about toolchain removal #9422

matthewhughes-uw added a commit to utilitywarehouse/manifest-checkers that referenced this issue Jan 6, 2025
@matthewhughes-uw
Tidy go.mod
6351395 
To fix errors that were seen after updating, also drop an unnecessary
`toolchain` directive: apparently `dependabot` is still adding this
directive (despite the issue[1] being closed)

Link: dependabot/dependabot-core#7868 [1]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jakecoffman jakecoffman

Labels
good first issue L: go:modules Golang modules T: bug 🐞 Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fixes toolchain directive getting into go.mod dependabot/dependabot-core
4 participants
@antifuchs @jakecoffman @janisz @spencerschrock