Consume the Go dependency from the Paketo dep server

[fg-j]

Per paketo-buildpacks/dep-server#45, we should start consuming the Go runtime dependency from the dep-server (See https://api.deps.paketo.io/v1/dependency?name=go for example dependency URIs) instead of the https://buildpacks.cloudfoundry.org/dependencies/go/... location we currently get the dependencies from.

This will make the dependency publishing/consumption process more transparent than the process we use for the dependencies available via the dependency-builds pipeline.

We have already done this switch-over in the Node Engine and Yarn Buildpacks. The outline of what this work will entail can be found in the dep-server issue linked at the top.

[fg-j]

Attempting to complete this issue, the jam update-dependencies command is returning an Invalid Semantic Version error that I believe is coming from the part of the command 's execution that finds dependencies whose versions match the provided constraint

Taking a look at the metadata on the API endpoint (https://api.deps.paketo.io/v1/dependency?name=go), we can see that the version of the dependencies on the server aren't valid SemVer. Here's one entry as an example:

[
  {
    "name": "go",
    "version": "go1.16.5",
    "sha256": "7bdb077313464ce05be8643e8fcca76271480372d64742c732b415a5027e8555",
    "uri": "https://deps.paketo.io/go/go_go1.16.5_linux_x64_bionic_7bdb0773.tgz",
    "stacks": [
      {
        "id": "io.buildpacks.stacks.bionic"
      },
      {
        "id": "io.paketo.stacks.tiny"
      }
    ],
    "source": "https://dl.google.com/go/go1.16.5.src.tar.gz",
    "source_sha256": "7bfa7e5908c7cc9e75da5ddf3066d7cbcf3fd9fa51945851325eebc17f50ba80",
    "deprecation_date": "",
    "created_at": "2021-06-03T21:42:31+00:00",
    "modified_at": "2021-06-03T21:42:31+00:00",
    "cpe": "cpe:2.3:a:golang:go:1.16.5:*:*:*:*:*:*:*"
  },

This issue is blocked until either a) jam is patched to allow for this type of version or b) the dep server changes its versioning for this dependency.

[fg-j]

@sophiewigmore Do you have context on why the versions of the Go dependency aren't semver in the dep server?

[sophiewigmore]

I'm assuming it wasn't intentional. The version retrieval code just reaches out and grabs whatever metadata it can from https://golang.org/doc/devel/release.html, and the versions there are just formatted like that. I will add something to get the versions into a semver compliant format when they get published. Thanks for finding this!

[fg-j]

The semver version issue is discussed in paketo-buildpacks/dep-server#53 . This will be unblocked once that issue is addressed.

[sophiewigmore]

@fg-j the versions in the dep-server are now semantic versioned and will continue to be as new versions come out