Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fixes toolchain directive getting into go.mod #7884

Merged
merged 4 commits into from
Aug 23, 2023

Conversation

jakecoffman
Copy link
Member

Fixes #7868

I had to read https://tip.golang.org/doc/toolchain#select a few times to understand this so let me summarize:

With GOTOOLCHAIN unset, Go 1.21 will use the locally installed toolchain (1.21.0 currently) if the go directive is <= 1.21. This means it was injecting the new toolchain directive and updating the go directive to 1.21 in older go.mods, but Dependabot code reverts the change to the go directive, which is how we ended up with #7868. This only affected go.mod files that had dependencies that were on 1.21.

By switching to GOTOOLCHAIN="go1.20+auto" we revert to using Go 1.20 to retain the current behavior for go.mod with go directive <=1.20, but the auto means any go.mod that are on newer versions will automatically select the right Go toolchain and download it if not installed locally.

Thus technically this is the last bump we ever need to do with the Go version. Although to prevent each job from downloading the Go toolchain on-the-fly we can pre-install multiple popular versions.

@jakecoffman jakecoffman requested a review from a team as a code owner August 23, 2023 16:14
@github-actions github-actions bot added the L: go:modules Golang modules label Aug 23, 2023
@jakecoffman jakecoffman merged commit a9f6ee9 into main Aug 23, 2023
@jakecoffman jakecoffman deleted the jakecoffman/fix-go-toolchain-issue branch August 23, 2023 20:53
vincentbernat added a commit to vincentbernat/dependabot-core that referenced this pull request Sep 6, 2023
Due to a bug in Go 1.20 (see golang/go#61873),
when importing a module without a dot in it, we get:

```
 18:13 ❱ GOTOOLCHAIN="go1.20+auto" go get
akvorado: ambiguous import: found package akvorado in multiple modules:
        akvorado (/home/bernat/code/free/akvorado)
         (/home/bernat/src/gocode/pkg/mod/golang.org/toolchain@v0.0.1-go1.20.linux-amd64/src/akvorado)
```

This issue was fixed in Go 1.20.8 which was just released. By using
`go1.20.8` as a toolchain for anything <= 1.20, we still cover the use
case introduced in dependabot#7884, but we also avoid this bug. `go1.20.8` is a
valid toolchain. For Go 1.20, only `go1.20` is a valid version for `go`
directive in `go.mod`.
jakecoffman pushed a commit that referenced this pull request Sep 6, 2023
Due to a bug in Go 1.20 (see golang/go#61873),
when importing a module without a dot in it, we get:

```
 18:13 ❱ GOTOOLCHAIN="go1.20+auto" go get
akvorado: ambiguous import: found package akvorado in multiple modules:
        akvorado (/home/bernat/code/free/akvorado)
         (/home/bernat/src/gocode/pkg/mod/golang.org/toolchain@v0.0.1-go1.20.linux-amd64/src/akvorado)
```

This issue was fixed in Go 1.20.8 which was just released. By using
`go1.20.8` as a toolchain for anything <= 1.20, we still cover the use
case introduced in #7884, but we also avoid this bug. `go1.20.8` is a
valid toolchain. For Go 1.20, only `go1.20` is a valid version for `go`
directive in `go.mod`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
L: go:modules Golang modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

gomod: Bumping a dependency that sets "go 1.21" in their go.mod sets "toolchain 1.21" in mine
2 participants