-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
govulncheck-action: Support using a later patch than go directive patch version in go.mod #70853
Comments
Sorry that I may be misunderstanding. Isn't Out of curiosity:
|
@hyangah no, see actions/setup-go#481 and also recent run results. Recent run
This issue is to ensure that however govulncheck-action is adopting setup-go, that it is working in govulncheck-action. |
No. Because that would enforce minimum version on importing deps, not an ideal trait if you are trying to be a library for others to import or build upon downstream. A good example of how to bump is here https://github.com/kubernetes/kubernetes/pull/127600/files Notice that this repo never bump away from Propagating minimum in go.mod go directive would break vmware-tanzu/velero#8397 |
See also grpc/grpc-go#7831 |
The original issue reports:
I have a question about that – what is the behavior for the following go.mod file:
The toolchain directive of go.mod files is declares a suggested Go toolchain to use with a module (see https://go.dev/doc/toolchain#config and https://go.dev/ref/mod#go-mod-file-toolchain). If it still picks 1.22.0, that does seem unexpected. If it picks 1.22.10, then there is at least one option to use a later toolchain. |
This is not favored at all by my requirement here: vmware-tanzu/velero#8397 which is to allow use of later toolchain without forcing it on all the downstream builders. |
Same motivation as grpc/grpc-go#7624 (comment) We want minimum go to be lowest as possible for the source code to build. The artifacts we produce however will use the newest go one can find in their build environment. |
I'm not sure I understand that point. The toolchain directive, in contrast to the go directive, applies only to the current module (the one defined by the go.mod file). It suggests the toolchain to be used when in that very module, and doesn't propagate to other modules. |
Ok if the toolchain directive do not force minimum version on importing modules then my point maybe moot here. If so, I would be ok with using toolchain as a workaround and hopefully that is respected by |
But there is still value in people who want to build the very module where toolchain directive is specified and may not yet have the downstream go that is new enough. |
toolchain not being minimum enforced on importing modules would eliminate 80% of my concerns. |
@kaovilai Thanks. I agree that absent of a toolchain directive, it's viable to pick either exactly the minimum toolchain that meets the 'go' directive requirement, or the latest minor release of the same major version. Each has trade-offs, explaining why projects and CI systems may pick what they deem a better fit. (Some projects may even wish to test with multiple minor versions to cover both ends of the spectrum, similarly to how it may make sense to test with multiple major versions.) I mostly wanted to check that the toolchain directive can be helpful for this, so thanks for confirming that. |
I think that for libraries we should try to consider the toolchain an input determined by the main package. (Much like type flows into interface values.) Minimum may be too conservative. This is to an extent the job of the main package to see if they are vulnerable. I would say the more relevant point is here https://go.dev/doc/toolchain#select. IIU-the-request-Correctly it is to test as if "GOTOOLCHAIN=auto" or "GOTOOLCHAIN=path" at CI time. I don't really consider this being a problem for libraries (previous point). But CI and user configurations might not have the same GOTOOLCHAIN settings. Some distros ship with GOTOOLCHAIN=, so it is not enough for the maintainer of the main package to test as if they are at "GOTOOLCHAIN=auto" in order to protect their users. Thinking out loud about what the default belief for govulncheck-action should be.
Given the nature of govulncheck to look for vulnerabilities, I think we want to be conservative with main packages. I think the simplest way to do that is to have a setting that says whether to use the minimum module version (default) or a specific GOTOOLCHAIN value. |
Agree
If project only specifies 1.22, actions/setup-go setup latest 1.22 such as 1.22.10 |
This flag is already available, it however do not work as I wanted, when go.mod go directive is Perhaps another flag. |
Go version
n/a
Output of
go env
in your module/workspace:What did you do?
want to use later golang than go.mod but compatible with go.mod
Support using a later patch release than what's in go.mod
Please ensure the action inherits actions/setup-go#481 when implemented.
What did you see happen?
1.22.0 go.mod results in 1.22.0 being used and no option to use later 1.22
What did you expect to see?
1.22.0 go.mod should use 1.22.7+ or latest available compatible with 1.22.0
The text was updated successfully, but these errors were encountered: