buildGoModule: fix GOFLAGS for structuredAttrs

[SFrijters]

Related: #470403

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

---

Add a 👍 reaction to pull requests you find important.

[zowoq]

Almost no rebuilds so this could go to master, is this targeting staging for a reason?

[SFrijters]

Mostly because it's a followup to #470403 which did have to go onto staging. But I can retarget this one if needed.

[ghpzin]

People on matrix noticed that this managed to break at least 3 previously cached goModules on current master:

nix-build -A go-away.goModules --check
nix-build -A evcc.goModules --check
nix-build -A carapace.goModules --check

Logs for `go-away.goModules`

Running phase: unpackPhase
@nix { "action": "setPhase", "phase": "unpackPhase" }
unpacking source archive /nix/store/zivpq4njrvh8kkwf0h08avzx6v9qzhzm-source
source root is source
Running phase: patchPhase
@nix { "action": "setPhase", "phase": "patchPhase" }
patching script interpreter paths in build-compress.sh build-wasm.sh docker-entrypoint.sh
build-compress.sh: interpreter directive changed from "#!/bin/bash" to "/nix/store/lw117lsr8d585xs63kx5k233impyrq7q-bash-5.3p3/bin/bash"
build-wasm.sh: interpreter directive changed from "#!/bin/bash" to "/nix/store/lw117lsr8d585xs63kx5k233impyrq7q-bash-5.3p3/bin/bash"
docker-entrypoint.sh: interpreter directive changed from "#!/bin/sh" to "/nix/store/lw117lsr8d585xs63kx5k233impyrq7q-bash-5.3p3/bin/sh"
Running phase: updateAutotoolsGnuConfigScriptsPhase
@nix { "action": "setPhase", "phase": "updateAutotoolsGnuConfigScriptsPhase" }
Running phase: configurePhase
@nix { "action": "setPhase", "phase": "configurePhase" }
Running phase: buildPhase
@nix { "action": "setPhase", "phase": "buildPhase" }
Compressed [embed/challenge/js-pow-sha256/static/load.mjs]: 3.152 KiB -> 999 B in 0.00 sec
Compressed [embed/challenge/js-pow-sha256/runtime/runtime.wasm]: 280.685 KiB -> 112.628 KiB in 0.01 sec
Compressed [embed/assets/static/anubis/style.css]: 1.764 KiB -> 577 B in 0.00 sec
go: inconsistent vendoring in /build/source:
        codeberg.org/gone/http-cel@v1.0.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        codeberg.org/meta/gzipped/v2@v2.0.0-20231111234332-aa70c3194756: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/alphadose/haxmap@v1.4.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/go-jose/go-jose/v4@v4.1.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/goccy/go-yaml@v1.17.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/google/cel-go@v0.25.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/itchyny/gojq@v0.12.17: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/pires/go-proxyproto@v0.8.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/prometheus/client_golang@v1.22.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/tetratelabs/wazero@v1.9.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/yl2chen/cidranger@v1.0.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        golang.org/x/crypto@v0.37.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        cel.dev/expr@v0.23.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/antlr4-go/antlr/v4@v4.13.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/beorn7/perks@v1.0.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/cespare/xxhash/v2@v2.3.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/itchyny/timefmt-go@v0.1.6: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/kevinpollet/nego@v0.0.0-20211010160919-a65cd48cee43: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/munnerz/goautoneg@v0.0.0-20191010083416-a7dc8b61c822: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/prometheus/client_model@v0.6.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/prometheus/common@v0.63.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/prometheus/procfs@v0.16.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        github.com/stoewer/go-strcase@v1.3.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        golang.org/x/exp@v0.0.0-20250408133849-7e4ce0ab07d0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        golang.org/x/net@v0.39.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        golang.org/x/sys@v0.32.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        golang.org/x/text@v0.24.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        google.golang.org/genproto/googleapis/api@v0.0.0-20250422160041-2d3770c4ea7f: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        google.golang.org/genproto/googleapis/rpc@v0.0.0-20250422160041-2d3770c4ea7f: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
        google.golang.org/protobuf@v1.36.6: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt

        To ignore the vendor directory, use -mod=readonly or -mod=mod.
        To sync the vendor directory, run:
                go mod vendor

---

Revert seems to fix it:

diff

diff --git a/pkgs/build-support/go/module.nix b/pkgs/build-support/go/module.nix
index ea266422c6..30542b1d16 100644
--- a/pkgs/build-support/go/module.nix
+++ b/pkgs/build-support/go/module.nix
@@ -223,20 +223,19 @@
         GOTOOLCHAIN = "local";

         CGO_ENABLED = args.env.CGO_ENABLED or go.CGO_ENABLED;
-
-        GOFLAGS = toString (
-          GOFLAGS
-          ++
-            lib.warnIf (lib.any (lib.hasPrefix "-mod=") GOFLAGS)
-              "use `proxyVendor` to control Go module/vendor behavior instead of setting `-mod=` in GOFLAGS"
-              (lib.optional (!finalAttrs.proxyVendor) "-mod=vendor")
-          ++
-            lib.warnIf (builtins.elem "-trimpath" GOFLAGS)
-              "`-trimpath` is added by default to GOFLAGS by buildGoModule when allowGoReference isn't set to true"
-              (lib.optional (!finalAttrs.allowGoReference) "-trimpath")
-        );
       };

+      GOFLAGS =
+        GOFLAGS
+        ++
+          lib.warnIf (lib.any (lib.hasPrefix "-mod=") GOFLAGS)
+            "use `proxyVendor` to control Go module/vendor behavior instead of setting `-mod=` in GOFLAGS"
+            (lib.optional (!finalAttrs.proxyVendor) "-mod=vendor")
+        ++
+          lib.warnIf (builtins.elem "-trimpath" GOFLAGS)
+            "`-trimpath` is added by default to GOFLAGS by buildGoModule when allowGoReference isn't set to true"
+            (lib.optional (!finalAttrs.allowGoReference) "-trimpath");
+
       inherit enableParallelBuilding;

       # If not set to an explicit value, set the buildid empty for reproducibility.

Logs for `go-away.goModules` with revert

Running phase: unpackPhase
unpacking source archive /nix/store/zivpq4njrvh8kkwf0h08avzx6v9qzhzm-source
source root is source
Running phase: patchPhase
patching script interpreter paths in build-compress.sh build-wasm.sh docker-entrypoint.sh
build-compress.sh: interpreter directive changed from "#!/bin/bash" to "/nix/store/hpcm5scq59h34hk2wngs85s7gm5c75f0-bash-5.2p37/bin/bash"
build-wasm.sh: interpreter directive changed from "#!/bin/bash" to "/nix/store/hpcm5scq59h34hk2wngs85s7gm5c75f0-bash-5.2p37/bin/bash"
docker-entrypoint.sh: interpreter directive changed from "#!/bin/sh" to "/nix/store/hpcm5scq59h34hk2wngs85s7gm5c75f0-bash-5.2p37/bin/sh"
Running phase: configurePhase
Running phase: buildPhase
Compressed [embed/challenge/js-pow-sha256/runtime/runtime.wasm]: 280.685 KiB -> 112.628 KiB in 0.03 sec
Compressed [embed/challenge/js-pow-sha256/static/load.mjs]: 3.152 KiB -> 999 B in 0.00 sec
Compressed [embed/assets/static/anubis/style.css]: 1.764 KiB -> 577 B in 0.00 sec
go: downloading github.com/tetratelabs/wazero v1.9.0
go: downloading github.com/prometheus/client_golang v1.22.0
go: downloading github.com/goccy/go-yaml v1.17.1
go: downloading codeberg.org/gone/http-cel v1.0.0
go: downloading codeberg.org/meta/gzipped/v2 v2.0.0-20231111234332-aa70c3194756
go: downloading github.com/itchyny/gojq v0.12.17
go: downloading github.com/pires/go-proxyproto v0.8.0
go: downloading golang.org/x/crypto v0.37.0
go: downloading golang.org/x/net v0.39.0
go: downloading github.com/alphadose/haxmap v1.4.1
go: downloading github.com/go-jose/go-jose/v4 v4.1.0
go: downloading github.com/google/cel-go v0.25.0
go: downloading github.com/yl2chen/cidranger v1.0.2
go: downloading github.com/prometheus/client_model v0.6.2
go: downloading github.com/prometheus/common v0.63.0
go: downloading github.com/kevinpollet/nego v0.0.0-20211010160919-a65cd48cee43
go: downloading github.com/itchyny/timefmt-go v0.1.6
go: downloading golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0
go: downloading cel.dev/expr v0.23.1
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20250422160041-2d3770c4ea7f
go: downloading google.golang.org/protobuf v1.36.6
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: downloading golang.org/x/sys v0.32.0
go: downloading github.com/stoewer/go-strcase v1.3.0
go: downloading golang.org/x/text v0.24.0
go: downloading github.com/antlr4-go/antlr/v4 v4.13.1
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20250422160041-2d3770c4ea7f
cmd/go-away/main.go
cmd/test-wasm-runtime/main.go
embed/embed.go
embed/challenge/js-pow-sha256/runtime/runtime.go
lib/challenge.go
lib/conditions.go
lib/http.go
lib/interface.go
lib/metrics.go
lib/rule.go
lib/state.go
lib/template.go
lib/action/block.go
lib/action/challenge.go
lib/action/code.go
lib/action/context.go
lib/action/deny.go
lib/action/drop.go
lib/action/none.go
lib/action/pass.go
lib/action/proxy.go
lib/action/register.go
lib/challenge/awaiter.go
lib/challenge/data.go
lib/challenge/helper.go
lib/challenge/key.go
lib/challenge/register.go
lib/challenge/script.go
lib/challenge/types.go
lib/challenge/cookie/cookie.go
lib/challenge/dnsbl/dnsbl.go
lib/challenge/http/http.go
lib/challenge/preload-link/preload-link.go
lib/challenge/refresh/refresh.go
lib/challenge/resource-load/resource-load.go
lib/challenge/wasm/registration.go
lib/challenge/wasm/runner.go
lib/challenge/wasm/utils.go
lib/challenge/wasm/interface/interface.go
lib/challenge/wasm/interface/interface_generic.go
lib/policy/challenge.go
lib/policy/network.go
lib/policy/policy.go
lib/policy/rule.go
lib/policy/state.go
lib/settings/backend.go
lib/settings/bind.go
lib/settings/settings.go
lib/settings/strings.go
utils/cache.go
utils/cookie.go
utils/decaymap.go
utils/dnsbl.go
utils/fingerprint.go
utils/http.go
utils/radb.go
utils/strings.go
utils/tagfetcher.go
utils/unix.go
utils/inline/hex.go
utils/inline/mime.go
go: downloading github.com/prometheus/procfs v0.16.1
buildPhase completed in 1 minutes 1 seconds
Running phase: installPhase

[zowoq]

Revert seems to fix it

Not running go generate for goModules also fixes it: #475628 (comment)

[Mindavi]

So, we revert for now? Or what would be wise here?

[winterqt]

Is there a reason we’re inheriting preBuild in the deps drv to begin with? Maybe we should just remove it for everyone?

(Side note: why does this change break running preBuild in these drvs? I haven’t gotten a chance to debug at all yet, but I imagine the value of GOFLAGS somehow changed in an important way, even if unintentional?!)

[ghpzin]

Seems like moving GOFLAGS into env unintentionally made it leak into goModules too (which I assume is the problem):

# now on master:
nix eval --impure --json --expr 'with import ./. {}; go-away.GOFLAGS'
"-mod=vendor -trimpath"

nix eval --impure --json --expr 'with import ./. {}; go-away.goModules.GOFLAGS'
"-mod=vendor -trimpath"

# with reverted PR:
nix eval --impure --json --expr 'with import ./. {}; go-away.GOFLAGS'
["-mod=vendor","-trimpath"]

nix eval --impure --json --expr 'with import ./. {}; go-away.goModules.GOFLAGS'
error:
...
       error: attribute 'GOFLAGS' missing

[leonklingele]

After updating from 2d293cbfa5a793b4c50d17c05ef9e385b90edf6c to fb7944c166a3b630f177938e478f0378e64ce108, nix flake check -L now fails as following on the following Flake file:

packages = rec {
  tests = pkgs.buildGoModule {
    pname = "tests";
    version = "0.0.1";

    src = goSrc;
    vendorHash = null;
    buildTestBinaries = true;
    GOFLAGS = [ "-race" ];
  };
};

nix flake check -L
error:
       … while checking flake output 'packages'
         at /nix/store/01x5k4nlxcpyd85nnr0b9gm89rm8ff4x-source/lib.nix:43:9:
           42|       // {
           43|         ${key} = (attrs.${key} or { }) // {
             |         ^
           44|           ${system} = ret.${key};

       … while checking the derivation 'packages.aarch64-darwin.tests'
         at /nix/store/n9l9wpx1camvx6vr482k1s84k8i2k6zi-source/flake.nix:121:11:
          120|         packages = rec {
          121|           tests = pkgs.buildGoModule {
             |           ^
          122|             pname = "tests";

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: The `env` attribute set cannot contain any attributes passed to derivation. The following attributes are overlapping:
         - GOFLAGS: in `env`: "-race -mod=vendor -trimpath"; in derivation arguments: [
         "-race"
       ]

Any idea how we can fix this?

[kalbasit]

GOFLAGS = [ "-race" ];

You should probably change it to checkFlags

checkFlags = [ "-race" ];

[leonklingele]

Are you sure this would help? https://nixos.org/manual/nixpkgs/stable/#var-stdenv-checkFlags says the following:

A list of strings passed as additional flags to make. Like makeFlags and makeFlagsArray, but only used by the check phase. Unlike with buildFlags, the checkTarget is automatically added to the make invocation in addition to any checkFlags specified.

We don't use make in the project.

[kalbasit]

Are you sure this would help? nixos.org/manual/nixpkgs/stable#var-stdenv-checkFlags says the following:

A list of strings passed as additional flags to make. Like makeFlags and makeFlagsArray, but only used by the check phase. Unlike with buildFlags, the checkTarget is automatically added to the make invocation in addition to any checkFlags specified.

We don't use make in the project.

Yep, it's used by buildGoModule to pass those to the go test command.

[JackKelly-Bellroy]

git bisect says that this change also broke the ability to statically link (via override) Go packages from nixpkgs. The following nix expression will no longer build on revision 83549e3ad2816a4ac1fd94de654b0590bf634dda but will build on its immediate predecessor:

let
  nixpkgs = import ./. {
    overlays = [
      (final: prev: {
        jsonschema = prev.jsonschema.overrideAttrs (_: oldAttrs: {
          CGO_ENABLED = 0;
          ldflags = oldAttrs.ldflags ++ [ "-extldflags=-static" ];
          env.GOWORK = "off";
        });
      })
    ];
  };
in
nixpkgs.jsonschema

On or after 83549e3, the build fails with:

error: output '/nix/store/fhy5576sp4krafi2krf3b6v0zyiq6wfa-jsonschema-0.7.0' is not allowed to refer to the following paths:
         /nix/store/0a3dyfq09dnkw28ap2i450wjimvdmv6s-go-1.25.4

[zowoq]

  jsonschema = prev.jsonschema.overrideAttrs (_: oldAttrs: {
    ldflags = oldAttrs.ldflags ++ [ "-extldflags=-static" ];
    env = oldAttrs.env // { GOWORK = "off"; CGO_ENABLED = 0; };
  });

[JackKelly-Bellroy]

Brilliant, thank you. I leave it to the maintainers to decide whether the old way should remain supported or not.

[SFrijters]

Sorry for getting back to this so late.

When I made this PR I just moved GOFLAGS since the env attribute already existed so it seemed the way to go.

After having encountered the pattern multiple times now, I think the proper solution may be to change the merge order: #492019 if anyone would care to take a look / check if it helps their problem?

[squat]

I hit this exact issue on so many statically linked out of tree packages for various projects: #470709 (comment)

This commit didn't only break overridden packages but also anyone in the community using buildgomodule to define their own packages in flakes, e.g. https://github.com/squat/generic-device-plugin :(

[SFrijters]

Seems like moving GOFLAGS into env unintentionally made it leak into goModules too (which I assume is the problem):

goModules already explicitly inherited env, which didn't initially contain GOFLAGS via env = finalAttrs.env or { };.
Would it be necessary and sufficient to filter out only GOFLAGS?