From 6b0821854834035498ef8c80ec6a1fd9338bf9b3 Mon Sep 17 00:00:00 2001
From: David McIntosh <804610+mctofu@users.noreply.github.com>
Date: Thu, 4 Mar 2021 14:52:56 -0800
Subject: [PATCH 1/4] Upgrade golang to v1.16

Allows use of the new embed feature.
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 8681c0c02c4..b2b4fb748b8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -137,8 +137,8 @@ RUN add-apt-repository ppa:ondrej/php \
 ### GO
 
 # Install Go and dep
-ARG GOLANG_VERSION=1.15.7
-ARG GOLANG_CHECKSUM=0d142143794721bb63ce6c8a6180c4062bcf8ef4715e7d6d6609f3a8282629b3
+ARG GOLANG_VERSION=1.16
+ARG GOLANG_CHECKSUM=013a489ebb3e24ef3d915abe5b94c3286c070dfe0818d5bca8108f1d6e8440d2
 RUN curl --http1.1 -o go.tar.gz https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz \
   && echo "$GOLANG_CHECKSUM go.tar.gz" | sha256sum -c - \
   && tar -xzf go.tar.gz -C /opt \

From f94051a9d83cabf8e76bb4a55b891fc30058033d Mon Sep 17 00:00:00 2001
From: David McIntosh <804610+mctofu@users.noreply.github.com>
Date: Fri, 5 Mar 2021 17:34:03 -0800
Subject: [PATCH 2/4] Renamed packages cause DependencyFileNotResolvable with
 go 1.16

Previously this error was only occuring with `go mod tidy` and was being
ignored. With go 1.16 the error is triggered during `go get` so we need to
handle it again.

Distinguishing the error from GitDependenciesNotReachable also took some
extra effort. The error message has changed from:
github.com/dependabot/vgotest imports
	github.com/googleapis/gnostic/OpenAPIv2: module github.com/googleapis/gnostic@latest found (v0.5.1), but does not contain package github.com/googleapis/gnostic/OpenAPIv2

to:
github.com/dependabot/vgotest imports
        github.com/googleapis/gnostic/OpenAPIv2: cannot find module providing package github.com/googleapis/gnostic/OpenAPIv2

We now use `go list` to check that github.com/googleapis/gnostic is a
reachable repo/module.
---
 .../dependabot/go_modules/resolvability_errors.rb  |  9 +++++----
 .../go_modules/file_updater/go_mod_updater_spec.rb | 14 +++++---------
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/go_modules/lib/dependabot/go_modules/resolvability_errors.rb b/go_modules/lib/dependabot/go_modules/resolvability_errors.rb
index eba3fca01e9..02d09b4818d 100644
--- a/go_modules/lib/dependabot/go_modules/resolvability_errors.rb
+++ b/go_modules/lib/dependabot/go_modules/resolvability_errors.rb
@@ -15,16 +15,17 @@ def self.handle(message, credentials:)
           SharedHelpers.with_git_configured(credentials: credentials) do
             File.write("go.mod", "module dummy\n")
 
-            env = { "GOPRIVATE" => "*" }
-            _, _, status = Open3.capture3(env, SharedHelpers.escape_command("go get #{mod_path}"))
-            raise Dependabot::DependencyFileNotResolvable, message if status.success?
-
             mod_split = mod_path.split("/")
             repo_path = if mod_split.size > 3
                           mod_split[0..2].join("/")
                         else
                           mod_path
                         end
+
+            env = { "GOPRIVATE" => "*" }
+            _, _, status = Open3.capture3(env, SharedHelpers.escape_command("go list -m -versions #{repo_path}"))
+            raise Dependabot::DependencyFileNotResolvable, message if status.success?
+
             raise Dependabot::GitDependenciesNotReachable, [repo_path]
           end
         end
diff --git a/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb b/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb
index 9ff087bad7b..590ccf4d20f 100644
--- a/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb
+++ b/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb
@@ -229,16 +229,12 @@
             # OpenAPIV2 has been renamed to openapiv2 in this version
             let(:dependency_version) { "v0.5.1" }
 
-            # NOTE: We explitly don't want to raise a resolvability error from go mod tidy
-            it "does not raises a DependencyFileNotResolvable error" do
+            it "raises a DependencyFileNotResolvable error" do
+              error_class = Dependabot::DependencyFileNotResolvable
               expect { updater.updated_go_sum_content }.
-                to_not raise_error
-            end
-
-            it "updates the go.mod" do
-              expect(updater.updated_go_mod_content).to include(
-                %(github.com/googleapis/gnostic v0.5.1 // indirect\n)
-              )
+                to raise_error(error_class) do |error|
+                expect(error.message).to include("googleapis/gnostic/OpenAPIv2")
+              end
             end
           end
         end

From 1d72d70ac0fa0698bcacce9bf687a6d909aa3a36 Mon Sep 17 00:00:00 2001
From: David McIntosh <804610+mctofu@users.noreply.github.com>
Date: Mon, 8 Mar 2021 11:48:35 -0800
Subject: [PATCH 3/4] Test preservation of go retract directive

---
 .../go_modules/file_updater/go_mod_updater_spec.rb     |  7 +++++++
 go_modules/spec/fixtures/projects/go_retracted/go.mod  | 10 ++++++++++
 go_modules/spec/fixtures/projects/go_retracted/main.go |  8 ++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 go_modules/spec/fixtures/projects/go_retracted/go.mod
 create mode 100644 go_modules/spec/fixtures/projects/go_retracted/main.go

diff --git a/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb b/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb
index 590ccf4d20f..f0d1889bdff 100644
--- a/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb
+++ b/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb
@@ -103,6 +103,13 @@
           it { is_expected.to include("go 1.13") }
         end
 
+        context "when a retract directive is present" do
+          let(:project_name) { "go_retracted" }
+
+          it { is_expected.to include("// reason for retraction") }
+          it { is_expected.to include("retract v1.0.5") }
+        end
+
         describe "a dependency who's module path has changed (inc version)" do
           let(:project_name) { "module_path_and_version_changed" }
 
diff --git a/go_modules/spec/fixtures/projects/go_retracted/go.mod b/go_modules/spec/fixtures/projects/go_retracted/go.mod
new file mode 100644
index 00000000000..a7ba4181218
--- /dev/null
+++ b/go_modules/spec/fixtures/projects/go_retracted/go.mod
@@ -0,0 +1,10 @@
+module github.com/dependabot/vgotest
+
+go 1.16
+
+require (
+	rsc.io/quote v1.4.0
+)
+
+// reason for retraction
+retract v1.0.5
diff --git a/go_modules/spec/fixtures/projects/go_retracted/main.go b/go_modules/spec/fixtures/projects/go_retracted/main.go
new file mode 100644
index 00000000000..1e0952d8efd
--- /dev/null
+++ b/go_modules/spec/fixtures/projects/go_retracted/main.go
@@ -0,0 +1,8 @@
+package main
+
+import (
+	_ "rsc.io/quote"
+)
+
+func main() {
+}

From a8cc8b78111b36457ce6bdc8bd38c03a92ef6c41 Mon Sep 17 00:00:00 2001
From: David McIntosh <804610+mctofu@users.noreply.github.com>
Date: Fri, 12 Mar 2021 12:49:34 -0800
Subject: [PATCH 4/4] Bump to golang 1.16.2

---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index b2b4fb748b8..9ecb2dbd666 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -137,8 +137,8 @@ RUN add-apt-repository ppa:ondrej/php \
 ### GO
 
 # Install Go and dep
-ARG GOLANG_VERSION=1.16
-ARG GOLANG_CHECKSUM=013a489ebb3e24ef3d915abe5b94c3286c070dfe0818d5bca8108f1d6e8440d2
+ARG GOLANG_VERSION=1.16.2
+ARG GOLANG_CHECKSUM=542e936b19542e62679766194364f45141fde55169db2d8d01046555ca9eb4b8
 RUN curl --http1.1 -o go.tar.gz https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz \
   && echo "$GOLANG_CHECKSUM go.tar.gz" | sha256sum -c - \
   && tar -xzf go.tar.gz -C /opt \