Bug: mage release 1.12 raises go get checksum errors

[eaglebush]

Bug Description go get raises checksum errors

What did you do? Fetched the package: go get -u github.com/gbrlsnchs/jwt/v3

What actually happened?

go get: github.com/magefile/mage@v1.12.0: verifying module: checksum mismatch
        downloaded: h1:M4awaYdobNRmzXXOSBRACIvzXqeiYWS2IitX1i0fxNI=
        sum.golang.org: h1:WzvfTqwh4lBipPALjO9uYA91ui/4+T5Yw//A9LN93TY=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
go get: github.com/magefile/mage@v1.12.0: verifying module: checksum mismatch
        downloaded: h1:M4awaYdobNRmzXXOSBRACIvzXqeiYWS2IitX1i0fxNI=
        sum.golang.org: h1:WzvfTqwh4lBipPALjO9uYA91ui/4+T5Yw//A9LN93TY=```

**Environment**
 - Mage Version: 1.12
 - OS: windows
 - Go 1.17.5

[thaney071]

@eaglebush what version of go are you on?

[mgabeler-lee-6rs]

Same here, go 1.17.5 on Debian. Exact same checksum variance.

Did the tag move after being initially created?

[mgabeler-lee-6rs]

I did a git checkout of v1.12.0 and compared it to what go downloaded into ${GOPATH}/pkg/mod/github.com/magefile/mage@v1.12.0. They are not the same. Here's the diff:

Only in /home/mgl/3psrc/mage: .git
Only in /home/mgl/3psrc/mage/.github: workflows
diff -ur /home/mgl/3psrc/mage/.goreleaser.yml ./.goreleaser.yml
--- /home/mgl/3psrc/mage/.goreleaser.yml    2021-12-17 10:58:54.426399836 -0500
+++ ./.goreleaser.yml   2021-12-17 10:56:16.592780769 -0500
@@ -26,8 +26,7 @@
       goarm: 6
   env:
     - CGO_ENABLED=0
-archives:
-- 
+archive:
   name_template: "{{.Binary}}_{{.Version}}_{{.Os}}-{{.Arch}}"
   replacements:
     amd64: 64bit
diff -ur /home/mgl/3psrc/mage/magefile.go ./magefile.go
--- /home/mgl/3psrc/mage/magefile.go    2021-12-17 10:58:54.430399877 -0500
+++ ./magefile.go   2021-12-17 10:56:16.592780769 -0500
@@ -1,5 +1,4 @@
-//go:build mage
-// +build mage
+//+build mage

 // This is the build script for Mage. The install target is all you really need.
 // The release target is for generating official releases and is really only
@@ -10,7 +9,6 @@
    "errors"
    "fmt"
    "os"
-   "os/exec"
    "path/filepath"
    "regexp"
    "runtime"
@@ -71,9 +69,6 @@

 // Generates a new release. Expects a version tag in v1.x.x format.
 func Release(tag string) (err error) {
-   if _, err := exec.LookPath("goreleaser"); err != nil {
-       return fmt.Errorf("can't find goreleaser: %w", err)
-   }
    if !releaseTag.MatchString(tag) {
        return errors.New("TAG environment variable must be in semver v1.x.x format, but was " + tag)
    }
@@ -86,8 +81,8 @@
    }
    defer func() {
        if err != nil {
-           sh.RunV("git", "tag", "--delete", tag)
-           sh.RunV("git", "push", "--delete", "origin", tag)
+           sh.RunV("git", "tag", "--delete", "$TAG")
+           sh.RunV("git", "push", "--delete", "origin", "$TAG")
        }
    }()
    return sh.RunV("goreleaser")
Only in .: .travis.yml

[mgabeler-lee-6rs]

With some quick experimenting, it looks like the tag was initially placed at commit 404c119a587288dc2af657ac747e21bbe406eb63 (that exactly matches what go downloaded) and that is what the go proxy has cached for it

[natefinch]

Ug... yeah, there was a problem with my release script, and so it created a v1.12 before I was ready, so I deleted it and retried. And... now I have blown up the world, evidently.

[natefinch]

I made a v1.12.1 ... it's the exact same code as v1.12.0, but hopefully since it's a new tag and not the same as the one deleted, it won't cause problems.

[eaglebush]

@eaglebush what version of go are you on?

I'm on Go 1.17.5

[natefinch]

Let me know if this has solved your problem, so we can close the issue. Thanks. And sorry for the bother!

[eaglebush]

It's fine now. Thanks.