Skip to content

ci: verify go.mod/go.sum are complete and untampered#11

Merged
reuvenharrison merged 2 commits into
mainfrom
ci-verify-modules
Jun 24, 2026
Merged

ci: verify go.mod/go.sum are complete and untampered#11
reuvenharrison merged 2 commits into
mainfrom
ci-verify-modules

Conversation

@reuvenharrison

Copy link
Copy Markdown
Collaborator

Follow-up to #10.

Why

main recently carried a go.mod requiring yaml3 v0.0.13 while go.sum held only an older pseudo-version hash. A clean -mod=readonly build failed (missing go.sum entry), yet CI stayed green: the Install Dependencies step runs go mod download, which repairs the workspace go.sum before the test step ever runs. So the broken committed lockfile was invisible to CI.

What

A Verify modules step right after dependency download:

  • git diff --exit-code -- go.mod go.sum — fails if go mod download had to change the lockfile, i.e. the committed go.sum was incomplete. This is the step that would have caught Use oasdiff module import path #10's breakage.
  • go mod verify — confirms cached modules match their recorded checksums (tamper check). Note this alone does not catch an incomplete go.sum (verified: it returns "all modules verified" on the broken state), which is why the diff check is the primary guard.

Verified the guard passes on current (post-#10) main.

Adds a step after dependency download that fails if the committed
go.sum was incomplete (git diff --exit-code) and confirms cached
modules match their checksums (go mod verify).

Motivation: main carried a go.mod requiring yaml3 v0.0.13 while go.sum
only held an older pseudo-version hash. A clean `-mod=readonly` build
failed, but CI stayed green because `go mod download` repairs the
workspace go.sum before the test step. This guard catches that class.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The matrix tested Go 1.14-1.18, which can't even parse the module's
`go` directive (>=1.22) -- so every run failed at `go mod download`
before reaching the new module-verify guard. Replace it with a single
job on the latest stable Go and bump actions/checkout + setup-go.

Set the go directive to 1.25 (from 1.22.5) to match the lowest consumer
(getkin/kin-openapi declares go 1.25; oasdiff/oasdiff-service are 1.26).
NOT 1.26: a dependency requiring a newer Go than kin-openapi declares
would force kin-openapi to bump its own directive. CI runs on stable
(1.26), which builds a go-1.25 module fine.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@reuvenharrison reuvenharrison merged commit 8130d77 into main Jun 24, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant