Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop bumping go directive unless necessitated by other dependencies #1899

Closed
kaovilai opened this issue Dec 24, 2024 · 3 comments · Fixed by #1909
Closed

Stop bumping go directive unless necessitated by other dependencies #1899

kaovilai opened this issue Dec 24, 2024 · 3 comments · Fixed by #1909

Comments

@kaovilai
Copy link

Stop bumping go directive unless necessitated by other dependencies

There is nothing necessitating this bump.


❯ go mod graph | grep [email protected]

github.com/sigstore/fulcio [email protected]

[email protected] [email protected]

The minimum should be 1.23.3 without fulcio's own bump.

Stop the minimum virus :D

This repo by itself should not be enforcing minimum on other repositories importing it. Stop spreading "minimum virus"

toolchain version used will be defined outside of go.mod ideally, such as by installing a newer compatible go toolchain to ci/cd/development env.

Failing that, toolchain directive should be used instead of go directive for bumping versions to not cascade minimum versions to importing dependencies.

toolchain directive, in contrast to the go directive, applies only to the current module (the one defined by the go.mod file). It suggests the toolchain to be used when in that very module, and doesn't propagate to other modules.

High profile repos that have removed/reduced minimum go patch version per user requests

Being proactive to prevent following from reoccuring

Originally posted by @kaovilai in eb1f9a3

@haydentherapper
Copy link
Contributor

@cpanato, do you think we should standardize what we've done in sigstore/sigstore across all Golang repos with sigstore/sigstore#1878, with the go.mod version being 1.x.0 and pulling the Go version from the CLI rather than go.mod?

@cpanato
Copy link
Member

cpanato commented Jan 6, 2025

Yes, I agree, as we learned more about this toolchain :)

will do the updates

@haydentherapper
Copy link
Contributor

We'll make the same changes here as in sigstore/rekor#2323.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants