From 721ea056626c75b78d0d7dccca66cd4ca9334734 Mon Sep 17 00:00:00 2001 From: Reuven Harrison Date: Wed, 24 Jun 2026 22:53:18 +0300 Subject: [PATCH 1/2] ci: add a modern-Go job to verify go.mod/go.sum The existing matrix runs in GOPATH mode across pre-module Go versions (1.5+), so it never checks the module lockfile. This adds a separate job on modern Go that fails if the committed go.sum is incomplete (git diff --exit-code after go mod download) and confirms cached modules match their checksums (go mod verify). Guards the class of breakage seen in oasdiff/yaml: a go.mod pinned to a release tag while go.sum held only a pseudo-version -- a clean -mod=readonly build fails, but CI that runs go mod download/go get first repairs the workspace go.sum and stays green. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/go.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml index d2bb00b0..332174cf 100644 --- a/.github/workflows/go.yaml +++ b/.github/workflows/go.yaml @@ -59,3 +59,21 @@ jobs: working-directory: ${{ github.workspace }}/go/src/gopkg.in/yaml.v3 - run: go test . working-directory: ${{ github.workspace }}/go/src/gopkg.in/yaml.v3 + + # The matrix above runs in GOPATH mode across pre-module Go versions, so it + # can't check the module lockfile. This job verifies, on modern Go, that the + # committed go.sum is complete and the cached modules are untampered -- so a + # go.mod pinned to a release tag can't ship with only a pseudo-version (or a + # missing entry) in go.sum, which fails a clean -mod=readonly build but is + # invisible to a CI that runs `go mod download`/`go get` before testing. + modules: + name: Verify modules + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: stable + - run: go mod download + - run: git diff --exit-code -- go.mod go.sum + - run: go mod verify From a73e1034ba0e32481dd025a6f1b1a132433489ce Mon Sep 17 00:00:00 2001 From: Reuven Harrison Date: Wed, 24 Jun 2026 23:22:34 +0300 Subject: [PATCH 2/2] ci: pin the verify-modules job to latest actions (checkout v7, setup-go v6) Co-Authored-By: Claude Opus 4.8 --- .github/workflows/go.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml index 332174cf..19f7966a 100644 --- a/.github/workflows/go.yaml +++ b/.github/workflows/go.yaml @@ -70,8 +70,8 @@ jobs: name: Verify modules runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@v7 + - uses: actions/setup-go@v6 with: go-version: stable - run: go mod download