go mod tidy creates 0-size go.sum, go: warning: "all" matched no packages

donbowman commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

Package ecosystem

go_modules

Package manager version

go_modules

Language version

golang 1.19

Manifest location and content before the Dependabot update

module git.agilicus.com/platform/eventc

go 1.18

require ( git.agilicus.com/pub/sdk-go v1.189.0 github.com/alicebob/miniredis/v2 v2.30.0 github.com/go-redis/redis/v8 v8.11.5 github.com/golang/mock v1.6.0 github.com/google/uuid v1.3.0 github.com/hyperjumptech/grule-rule-engine v1.10.6 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.13.1 github.com/rakyll/statik v0.1.7 github.com/sirupsen/logrus v1.9.0 github.com/streadway/amqp v1.0.0 github.com/stretchr/testify v1.8.2 )

require ( github.com/Microsoft/go-winio v0.5.0 // indirect github.com/alessio/shellescape v1.4.1 // indirect github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220527190237-ee62e23da966 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bmatcuk/doublestar v1.3.2 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/coreos/go-oidc/v3 v3.3.0 // indirect github.com/danieljoos/wincred v1.1.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect github.com/emirpasic/gods v1.12.0 // indirect github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/golang-jwt/jwt/v4 v4.4.2 // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/hashicorp/go-cleanhttp v0.5.1 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd // indirect github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_model v0.2.0 // indirect github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/sergi/go-diff v1.0.0 // indirect github.com/src-d/gcfg v1.4.0 // indirect github.com/stretchr/objx v0.5.0 // indirect github.com/xanzy/ssh-agent v0.3.1 // indirect github.com/yuin/gopher-lua v0.0.0-20220504180219-658193537a64 // indirect github.com/zalando/go-keyring v0.2.1 // indirect golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b // indirect golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 // indirect golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/src-d/go-billy.v4 v4.3.2 // indirect gopkg.in/src-d/go-git.v4 v4.13.1 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect )

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

when go mod tidy is run it emits go: warning: "all" matched no packages and creates a zero-sized go.mod file

go mod tidy is run in a tmp dir w/ 3 files:

git.store
git.mod
git.sum

git.store looks like:

https://ci-dependency-robot:glpat-XXXXXX@git.agilicus.com https://x-access-token:ghp_XXXXX@github.com

since there are no go source files here, when go mod tidy is run, there are no modules in use, and it empties these files.

i'm not clear, is it supposed to instead run in /bot/tmp/

, which has the original source? or in /tmp/XXX, which only has these 3 files?

at any rate, i end up w/ a 0-byte go.sum which gets committed back to my repo, which breaks.

dependencies
[#<Dependabot::Dependency:0x00007f1c36d72400
  @metadata={},
  @name="git.agilicus.com/pub/sdk-go",
  @package_manager="go_modules",
  @previous_requirements=[{:requirement=>"v1.189.0", :file=>"go.mod", :source=>{:type=>"default", :source=>"git.agilicus.com/pub/sdk-go"}, :groups=>[]}],
  @previous_version="1.189.0",
  @removed=false,
  @requirements=[{:requirement=>Gem::Version.new("1.190.0"), :file=>"go.mod", :source=>{:type=>"default", :source=>"git.agilicus.com/pub/sdk-go"}, :groups=>[]}],
  @version="1.190.0">]
repo_contents_path
"/tmp/d20230309-11215-4g3g2g"
(rdbg) directory
"/"
(rdbg) tidy
eval error: undefined local variable or method `tidy' for #<Dependabot::GoModules::FileUpdater::GoModUpdater:0x00007f1c36d631a8 @dependencies=[#<Dependabot::Dependency:0x00007f1c36d72400 @name="git.agilicus.com/pub/sdk-go", @version="1.190.0", @requirements=[{:requirement=>#<Dependabot::GoModules::Version "1.190.0">, :file=>"go.mod", :source=>{:type=>"default", :source=>"git.agilicus.com/pub/sdk-go"}, :groups=>[]}], @previous_version="1.189.0", @previous_requirements=[{:requirement=>"v1.189.0", :file=>"go.mod", :source=>{:type=>"default", :source=>"git.agilicus.com/pub/sdk-go"}, :groups=>[]}], @package_manager="go_modules", @removed=false, @metadata={}>], @credentials=[{"type"=>"git_source", "host"=>"github.com", "username"=>"x-access-token", "password"=>"ghp_XXXX"}, {"type"=>"python_index", "index-url"=>"https://git.agilicus.com/api/v4/projects/328/packages/pypi/simple/", "username"=>"ci-dependency-robot", "token"=>"x-access-token:glpat-XXXX", "password"=>"glpat-XXXX", "replaces-base"=>false}, {"type"=>"git_source", "host"=>"git.agilicus.com", "method"=>"ssh", "username"=>"ci-dependency-robot", "password"=>"glpat-XXXX"}, {"type"=>"docker_registry", "host"=>"cr.agilicus.com", "registry"=>"cr.agilicus.com", "username"=>"ci-dependency-robot", "password"=>"glpat-XXXX"}], @repo_contents_path="/tmp/d20230309-11215-4g3g2g", @directory="/", @tidy=true, @vendor=false, @goprivate="*">
tidy?
true
vendor?
false
goprivate?
nil

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

jeffwidman commented 1 year ago

Hmm... def smells like a bug.

Are you running Dependabot standalone yourself, or the native Dependabot service on GitHub?

Can you try to trim down your app enough that you can put it in a public repo that reproduces the problem?

Alternatively, you can try the dry-run script and then add some debugger / puts calls to try to narrow it down... you can compare the example run against rsc/quote to your package to see what the delta is that prevents it from having a go.mod file with data.

donbowman commented 1 year ago

running standalone. I'll take a look at the dry-run. I was using the ruby debugger to step it.

jeffwidman commented 1 year ago

If you're running standalone, then I suspect the issue is related to local environment if using dockerfiles then the permissions/mounting...

Dry-run won't necessarily get you a lot further on the ruby side, since you're already in an enviroment where you have the ruby debugger... but it will put you into the expected dockerfile environment that we run in prod so you can see what the files/mounting should look like and I suspect that's all you'll need.

donbowman commented 1 year ago

my environment was working until an update to dependabot/core container, so i don't think it is permissions, there's no mount involved. It might be the environment variable setup changed somehow I suppose. it works for me for the other packages (e.g. python, typescript etc)

will debug more

dependabot / dependabot-core