Open Stebalien opened 3 years ago
@Stebalien : thanks for creating. This came out of some recent issues right? If easily available, link to them for context.
Nothing filed in issues.
Commits we depend on that aren't on master:
go mod tidy
needs it for dependency resolution (and the commit was deleted upstream until I revived and tagged it).We also have a lot of dependencies on master commits. I'm suggesting that we make sure we depend on releases, not just master, because it's strictly easier to check/maintain:
echo "$(go list -m all | egrep 'v\d+\.\d+\.\d+\-' | wc -l) out of $(go list -m all | wc -l) dependencies use non-releaesd versions"
153 out of 672 dependencies use non-releaesd versions
go list -m all | egrep "v\d+\.\d+\.\d+\-"
In light of https://github.com/filecoin-project/lotus/issues/12467, I elaborated in the issue description. I did this because this an action item I think maintainers should take on as a preventative measure.
@Stebalien's original issue description:
(lotus only) Given that so many users build directly from lotus master, we should add a CI check to make sure that lotus master always depends on released modules (where possible). This is can be done by checking for dependencies on commits in
go list -m all
. This check would only apply to PRs against master.
Done Criteria
A CI check catches if go.mod is being updated with any non-released version. This includes checking direct and transitive dependencies. There should be a way for maintainers to override this check (e.g., PR label or code comment that links to explanation).
Why Important
User/Customer
Notes