Go and dependabot thinks there is a v1.0.0 tag for pkg/apis

[chrischdi]

Dependabot opened a bump PR for:

• https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/pull/2908

I wanted to take a look at the diff and realised the repo does not have a v1.0.0 tag or pkg/apis/v1.0.0.

Taking a look at how go resolves this:

for v1.0.0:

❯ go mod download -json github.com/vmware-tanzu/nsx-operator/pkg/apis@v1.0.0
{
        "Path": "github.com/vmware-tanzu/nsx-operator/pkg/apis",
        "Version": "v1.0.0",
        "Info": "/Users/schlotterc/go/pkg/mod/cache/download/github.com/vmware-tanzu/nsx-operator/pkg/apis/@v/v1.0.0.info",
        "GoMod": "/Users/schlotterc/go/pkg/mod/cache/download/github.com/vmware-tanzu/nsx-operator/pkg/apis/@v/v1.0.0.mod",
        "Zip": "/Users/schlotterc/go/pkg/mod/cache/download/github.com/vmware-tanzu/nsx-operator/pkg/apis/@v/v1.0.0.zip",
        "Dir": "/Users/schlotterc/go/pkg/mod/github.com/vmware-tanzu/nsx-operator/pkg/apis@v1.0.0",
        "Sum": "h1:jmHI88hySjGqkpc/QUmSY5G5SsDvoXxmKFEK/GmcHWs=",
        "GoModSum": "h1:ZR/7rewflpAhnswQ6NVkFN0JmaqHgmvDyFVsJLmZ+pw=",
        "Origin": {
                "VCS": "git",
                "URL": "https://github.com/vmware-tanzu/nsx-operator",
                "Subdir": "pkg/apis",
                "Hash": "553261d24be7d22d76251fae0cd85bb51be9bb9d",
                "Ref": "refs/tags/pkg/apis/v1.0.0"
        }
}

for v0.1.0

❯ go mod download -json github.com/vmware-tanzu/nsx-operator/pkg/apis@v0.1.0
{
        "Path": "github.com/vmware-tanzu/nsx-operator/pkg/apis",
        "Version": "v0.1.0",
        "Info": "/Users/schlotterc/go/pkg/mod/cache/download/github.com/vmware-tanzu/nsx-operator/pkg/apis/@v/v0.1.0.info",
        "GoMod": "/Users/schlotterc/go/pkg/mod/cache/download/github.com/vmware-tanzu/nsx-operator/pkg/apis/@v/v0.1.0.mod",
        "Zip": "/Users/schlotterc/go/pkg/mod/cache/download/github.com/vmware-tanzu/nsx-operator/pkg/apis/@v/v0.1.0.zip",
        "Dir": "/Users/schlotterc/go/pkg/mod/github.com/vmware-tanzu/nsx-operator/pkg/apis@v0.1.0",
        "Sum": "h1:HdnQb/X9vJ8a5WQ03g/0nDr9igIIK1fF6wO5wOtkJT4=",
        "GoModSum": "h1:Q4JzNkNMvjo7pXtlB5/R3oME4Nhah7fAObWgghVmtxk=",
        "Origin": {
                "VCS": "git",
                "URL": "https://github.com/vmware-tanzu/nsx-operator",
                "Subdir": "pkg/apis",
                "Hash": "1269a61ff22c969923f260553d7961803e53f63e",
                "Ref": "refs/tags/pkg/apis/v0.1.0"
        }
}

If we now take a look at the Hash, which is the commit hash referenced:

• v1.0.0: 553261d24be7d22d76251fae0cd85bb51be9bb9d:

  ❯ git show 553261d24be7d22d76251fae0cd85bb51be9bb9d
  commit 553261d24be7d22d76251fae0cd85bb51be9bb9d
  Merge: 1ef2441 1d51c28
  Author: zhengxiexie <xizheng@vmware.com>
  Date:   Mon Oct 30 13:13:15 2023 +0800
  
      Merge pull request #288 from zhengxiexie/codegen_alpha2_vpc_dev
  
      Support codegen for v1alpha2

• v0.1.0: 1269a61ff22c969923f260553d7961803e53f63e

  ❯ git show 1269a61ff22c969923f260553d7961803e53f63e
  commit 1269a61ff22c969923f260553d7961803e53f63e (tag: pkg/apis/v0.1.0)
  Author: XiaoPei Liu <lxiaopei@lxiaopei05N6R.vmware.com>
  Date:   Fri Dec 22 10:02:17 2023 +0800
  
  Change pkg/apis and pkg/client in go.mod
  
  In go.mod, change to use local pkg/apis and pkg/client.

We can see v1.0.0 is actually older. Also that commit only exists on the vpc_dev branch, not on main.

I wanted to know where this came from, if there maybe was a push of a v1.0.0 tag by accident?

[sbueringer]

Please note, there is a realistic danger of folks downgrading by bumping to the v1.0.0 tag. We almost did it in CAPV.