x/vuln/cmd/govulncheck: check against toolchain/go directive version #62050
Comments
zpavlinovic
added
NeedsInvestigation
seankhliao
changed the title
|
This broke all our govulncheck CI jobs when running with |
|
If this is happening in Github Actions, then I suggest for the time being looking into govulncheck-action. It recently added support for specifying whether the version in go.mod should be used. (it can be fetched at master currently, but we'll release a new version soon) |
|
@zpavlinovic That's basically forcing people to change a their CI files, we have +30 files. This shouldnt be a breaking change. I don't understand why the Go team is forcing a toolchain. The default value for GOTOOLCHAIN should be "local" or "path", with "auto" go forces you to run |
|
We are trying to find the approach that is most useful for most people. It seems to us that most people are not running Go in a CI, they are running Go from the command line. We've tried to document the new behavior as many places as we could. Sorry for the trouble. |
|
@ianlancetaylor What are all the teams developing applications in Go using to run tests/etc on their CI if not for Go itself? We also noticed that all the dependabot jobs stopped and are failing because when Also related dependabot/dependabot-core#7895 |
|
Personally I expect them to use Go, and I expect them to set |
Not sure what to say, when even Dependabot doesnt work anymore. I will remove 1.21 from the CI, until a solution is available. |
Should govulncheck use the Go version specified by
toolchainorgodirective ingo.modfiles? Currently, we use the Go version atPATH.This issue was created based on discussions here and here.
The text was updated successfully, but these errors were encountered: