-
Notifications
You must be signed in to change notification settings - Fork 499
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Caching should use go.mod, not go.sum #478
Comments
Hello @peterbourgon, Thank you for creating this issue and we will look into it :) |
Note:
Is this not a suitable for a file to be used as a cache key? if some new file needs to be downloaded that the cache should be updated to include that new file. |
Unfortunately not, no. Again, go.sum isn't a lock file, and doesn't (necessarily) represent the actual dependencies used by the module. In fact, it doesn't even need to be committed! It exists purely to verify any dependencies fetched as part of the build process.
Just use go.mod and the problem is solved. And don't take my word for it: github.blog, etc. |
go.sum is an append-only log of checksums, used to verify the integrity of modules downloaded during builds. It's essentially a manifest file (shasums) and not any kind of lock file (Cargo.lock). It doesn't represent the dependencies of the corresponding module in any meaningful sense. This dependabot issue goes into more detail.
Cache keys for Go modules need to be based on the (normalized) content of go.mod, not go.sum, in order to be useful.
The text was updated successfully, but these errors were encountered: