cmd/go: go build -mod=readonly still updates a go.work.sum file

[randall77]

Go version

go1.23.2

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/khr/.cache/go-build'
GOENV='/home/khr/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/khr/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/khr/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/khr/go1.23.2'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/khr/go1.23.2/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.2'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/khr/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v3'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/home/khr/gowork/oscar-dialogue3/go.mod'
GOWORK='/home/khr/gowork/oscar-dialogue3/go.work'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1827263642=/tmp/go-build -gno-record-gcc-switches'

What did you do?

$ git clone https://go.googlesource.com/oscar
$ cd oscar
$ git checkout 16dfea0842cf727e9074a0e221638f13a1c831aa
$ go build -mod=readonly ./internal/gaby
$ git diff
diff --git a/go.work.sum b/go.work.sum
index 59cbf8a..1faa622 100644
--- a/go.work.sum
+++ b/go.work.sum
@@ -449,8 +449,8 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -495,6 +495,7 @@ golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -591,8 +592,7 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9sn
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
 golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
+golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=

What did you see happen?

go.work.sum file has changes to it.

What did you expect to see?

go.work.sum file unchanged, because the -mod=readonly flag was given.

[randall77]

@matloob

[gabyhelp]

Related Issues

• cmd/go: go get -u yields a different result compared to go get on a clean go.mod #38362 (closed)
• x: keep versions syncronized #37840 (closed)
• Is that correct that "go get -u" inside a module directory will break dependent package's go.mod requirement? #33465 (closed)
• cmd/go: livelock when computing module graph in a workspace with GOPROXY=off #53874 (closed)
• cmd/go: 'go mod tidy' retains sums for modules in the requirement graph but not the build list #39424 (closed)
• x/vgo: possible non-determinism in updating go.sum #26310 (closed)
• cmd/go: line added to go.sum with no change in requirements #36667 (closed)
• cmd/go: git shallow fetches broken at CL 556358 #66147 (closed)
• cmd/go: duplicate lines for module in go.sum #28456 (closed)
• go mod download modifying go.sum after go mod tidy #44512 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[matloob]

We did this intentionally, though I agree it's a bit awkward and we might potentially need to add a feature to help users with checked in go.mod files.

Since -mod=readonly is the default mode for build commands, the normal workflow in a single module, outside of a workspace, is to run go get/go mod tidy to make required changes to go.mod files and also update go.sum files before doing builds that require those changes.

If the -mod=readonly behavior also made go.work.sum read only, another command would have to be run after go get and go mod tidy change go.mod files to ensure that go.work.sum contains all the relevant sums. (We wouldn't want go get and go mod tidy to make the modifications themselves because those commands operate on a single module level and a single module can participate in multiple workspaces) This command would add significant friction to users of workspaces for not much benefit.

The most important goal of the mod=readonly mode (as I understand it) is that doing operations like builds and lists should not (surprisingly) change the set of requirements of a module in turn changing the actual code that's built. The operation that changes the build is put into into a separate command so that it is done explicitly. Since go.sum is also checked in, and only needs to be changed when module dependencies are changed, it makes sense to have the rule apply to both go.mod and go.sum.

When we started working on workspaces, the intention was that go.work (and go.work.sum) files would only be checked in in very rare circumstances. We still encourage users to consider carefully if they should check in go.work files because it does cause a lot of headaches, but it seems now like we need to address some of those headaches.

I do think that the current behavior is the best behavior for most users, but perhaps we should add a command (maybe called go work tidy that will ensure that the go.work.sum file is complete for the all pattern). Then CI could check that that command doesn't make any changes, and in the use case where you clone oscar and do a build there would be no modifications to go.work.sum because it would already be updated?