fix: Relax go directive in go.mod to 1.22.0 #3423
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Rather than require all consumers to be building with the latest 1.22.10 release of Go 1.22, match the support statement and permit any version of 1.22.x to be used. Since Go 1.21 the go directive in go.mod is considered a hard requirement version and anything older will refuse to build. Update the N-1 go-version used in GitHub Actions to be the .0 release to help ensure this compatibility is maintained in the future. Signed-off-by: Dominic Evans <[email protected]>
gmlewis
changed the title
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3423 +/- ##
==========================================
- Coverage 97.72% 92.22% -5.51%
==========================================
Files 153 173 +20
Lines 13390 14937 +1547
==========================================
+ Hits 13085 13775 +690
- Misses 215 1068 +853
- Partials 90 94 +4 ☔ View full report in Codecov by Sentry. |
|
@dnwe is there a specific reason why the examples and tools are being downgraded to Go Also it might improve the maintainability of the GH Actions automation to use https://endoflife.date/go (JSON API) to automate the N-1 version selection? curl -sS https://endoflife.date/api/go.json | jq -r '[.[] | select(.eol | not)] | sort_by(.releaseDate) | reverse | .[1] | "\(.cycle).0"' |
The intention was that the examples should work out-of-the-box with any Go version within the supported range, so pinning to the same as the top-level module ensures that the union of dependencies they use are also compatible right back to 1.22.0. It's also convenient as they can be updated in sync in the future.
I can look at doing this in a follow-up PR if it would be useful — we'd build the go-version matrix programmatically in one stage and feed it in |
I get the intention, but is it valid in the context of an example? An example is meant to show the correct way the system "SHOULD" be used, while supporting the |
Similar constraints apply though. If an enterprise developer is using RHEL in a constrained environment with the package-manager installed toolchain then they'll have go 1.22.9. They'll see the repo says "supports 1.22" and they'll clone it and attempt to build/run some examples and they get a rather unhelpful failure message of: Yes, they could manually edit the go.mod and continue, but it feels like the samples should just track the same supported levels as the main module, not require an explicit (latest) patch version and just work out of the box. There's no language changes between .9 and .10 so why force the requirement to use it? There only real downside to this approach is that you can't pull in other dependencies in the examples that have similar made the (imo mistake) of setting an arbitrarily high 1.22.x or 1.23.x go version in their go.mod directive |
|
Also note that the Go team had a change of heart in Go 1.23 and re-permitted The change in behaviour in 1.23 is referenced in this comment on this well-cited GH issue on the confusion around the go directive changes:
|
|
Thank you @dnwe and @stevehipwell ! |
| @@ -102,7 +102,7 @@ func main() { | |||
| log.Fatal(err) | |||
| } | |||
|
|
|||
| var b *bundle.Bundle | |||
| var b *bundle.ProtobufBundle | |||
There was a problem hiding this comment.
@dnwe - why did you make this change?
I'm now getting a deprecation warning:
There was a problem hiding this comment.
@gmlewis sigstore-go was rolled back to 0.5.1 in the sample, because in 0.6.2 they had similarly made a mistake of bumping the go directive to latest 1.23.2 (see here). They're addressing that according to this comment, but in the meantime we had to rollback in the sample in order to pin to Go 1.22. In 0.5.1 Bundle doesn't exist yet and ProtobufBundle isn't deprecated https://github.com/sigstore/sigstore-go/blob/v0.5.1/pkg/bundle/bundle.go#L51-L55
|
@dnwe - another question. Now, if I update a dependency in to: How do I get around this and still abide by your newly-added requirements? If I revert this change, all the tooling then fails with this error message: |
So this happens when you are pulling in a dependency update that requires a newer go version in its go.mod directive. You can prevent this by always including toolchain and go versions in your e.g., to update all available deps ( |
|
Ah! That explains it. Thank you, @dnwe ! |
Rather than require all consumers to be building with the latest 1.22.10 release of Go 1.22, match the support statement and permit any version of 1.22.x to be used. Since Go 1.21 the go directive in go.mod is considered a hard requirement version and anything older will refuse to build.
Update the N-1 go-version used in GitHub Actions to be the .0 release to help ensure this compatibility is maintained in the future.
Fixes #3422