Request: Versioned client API package

[tsaarni]

Currently Nomad release tags cover only the server module at github.com/hashicorp/nomad. The submodule containing client API github.com/hashicorp/nomad/api is not versioned, which leads to applications consuming the latest from main directly via pseudo-version. Example of this can be seen in Vault go.mod.

Problem:

• Using pseudo-version makes it very difficult to address vulnerability alerts from scanners, since it is not clear how the pseudo-version relates to a specific Nomad release. Application using version v0.0.0-20211006193434-215bf04bc650 can be flagged with all historical vulnerabilities.
• Application fetching latest from main could theoretically end up using non-working version that was never inteded to be consumed by public.

Proposal:

Add versioning also to github.com/hashicorp/nomad/api submodule. This can be done by adding a second release tag which is prefixed with the submodule path. v1.2.6 becomes api/v1.2.6. Tagging submodules is described in go documentation.

[lgfa29]

Thanks @tsaarni, this is something we talked about in the past.