x/build: TryBots should check go.mod files are tidy

[jayconrod]

CL 172972 added a dependency on golang.org/x/sync in golang.org/x/tools. The go.mod and go.sum files were not updated.

There's nothing wrong with this dependency, but it should have been more noticeable during code review. If unexpected requirement were added to go.mod, human reviewers would see it.

TryBots should report an error if go.mod and go.sum change with go mod tidy. This will make sure dependency changes are explicit, and it will keep builds deterministic.

[bradfitz]

Is there a flag to go mod tidy that'll let it report whether things are tidy without doing any network requests?

Because we're increasingly blocking outbound network access on builders.

But we do allow GOPROXY access, which we set, so if it needs that, I suppose that's okay.

[jayconrod]

There's not a simple way to do that, but it's a common feature request we should implement. I'm sure there is an issue filed somewhere.

go list -mod=readonly -test ./... would probably be good enough to check that we don't need to add new modules. Setting GOPROXY=off disables most requests, but the ?go-get=1 requests for resolving import paths don't go through the proxy, so those would still happen for unknown modules. Edit: resolving import paths actually does go through GOPROXY.

[bradfitz]

There's not a simple way to do that, but it's a common feature request we should implement. I'm sure there is an issue filed somewhere.

If that's on the way, I'd rather wait for that.

Cross-reference the two bugs when you find it?

[jayconrod]

#27005 would add a -check flag. go mod tidy would exit non-zero if changes are needed.

I don't think we'll have time to implement it before the freeze though.

[nmiyake]

Note that go list -mod=readonly -test ./... will only check that you don't need to add new modules given the build configuration of the environment that ran the command -- it will not flag any new modules that may be required when using different build tags (OS/arch/etc.). I believe that mod tidy -check (or an equivalent) is the only way to definitively guarantee that the go.mod and go.sum are in the proper state for all possible consumers.