ci: verify go.mod/go.sum are complete and untampered#11
Merged
Conversation
Adds a step after dependency download that fails if the committed go.sum was incomplete (git diff --exit-code) and confirms cached modules match their checksums (go mod verify). Motivation: main carried a go.mod requiring yaml3 v0.0.13 while go.sum only held an older pseudo-version hash. A clean `-mod=readonly` build failed, but CI stayed green because `go mod download` repairs the workspace go.sum before the test step. This guard catches that class. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The matrix tested Go 1.14-1.18, which can't even parse the module's `go` directive (>=1.22) -- so every run failed at `go mod download` before reaching the new module-verify guard. Replace it with a single job on the latest stable Go and bump actions/checkout + setup-go. Set the go directive to 1.25 (from 1.22.5) to match the lowest consumer (getkin/kin-openapi declares go 1.25; oasdiff/oasdiff-service are 1.26). NOT 1.26: a dependency requiring a newer Go than kin-openapi declares would force kin-openapi to bump its own directive. CI runs on stable (1.26), which builds a go-1.25 module fine. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #10.
Why
main recently carried a
go.modrequiringyaml3 v0.0.13whilego.sumheld only an older pseudo-version hash. A clean-mod=readonlybuild failed (missing go.sum entry), yet CI stayed green: theInstall Dependenciesstep runsgo mod download, which repairs the workspacego.sumbefore the test step ever runs. So the broken committed lockfile was invisible to CI.What
A
Verify modulesstep right after dependency download:git diff --exit-code -- go.mod go.sum— fails ifgo mod downloadhad to change the lockfile, i.e. the committedgo.sumwas incomplete. This is the step that would have caught Use oasdiff module import path #10's breakage.go mod verify— confirms cached modules match their recorded checksums (tamper check). Note this alone does not catch an incompletego.sum(verified: it returns "all modules verified" on the broken state), which is why the diff check is the primary guard.Verified the guard passes on current (post-#10) main.