chore(deps): cleanup go.mod file

[chenrui333]

No description provided.

[codecov-io]

Codecov Report

Merging #1217 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #1217   +/-   ##
=======================================
  Coverage   83.65%   83.65%           
=======================================
  Files          58       58           
  Lines        3285     3285           
=======================================
  Hits         2748     2748           
  Misses        456      456           
  Partials       81       81

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e59e039...f09ee8c. Read the comment docs.

[caarlos0]

so, downgrade the cors lib?

[chenrui333]

github.com/go-macaron/cors is indirect dependedncy, and I did not see the code reference in the repo.

To my memory, that was the issue when doing go mod tidy before (and the dependency problem with code.gitea.io/gitea)

Also, I think it is indrect dependency of code.gitea.io/gitea@v1.10.0-dev

[caarlos0]

oh yah, you're right.

thanks! 🚀

[caarlos0]

@chenrui333 check #1218

[chenrui333]

Interesting, I did not have the same error in my local though.

[chenrui333]

I switched back to go1.13, and the issue does pop up. I will submit a dependabot issue on this matter.

[chenrui333]

@caarlos0 Just reported an issue.

[caarlos0]

Thanks @chenrui333 ! :)

[ldez]

It's still the same problem that I fixed in #1138

It's not an issue with dependabot, as it's the expected behavior.

The problem need to be fixed in gitea.

[caarlos0]

IMHO if it works on go1.13 only, its fine.

we just need to change the docs https://github.com/goreleaser/goreleaser/blob/master/CONTRIBUTING.md

GitHub

goreleaser/goreleaser

Deliver Go binaries as fast and easily as possible - goreleaser/goreleaser

[ldez]

The replace directive allow to use go1.12 and go1.13.

The replace directive is required by go1.13

So, for me this PR must be reverted.

[chenrui333]

I am little bit confused on why need to support both go 1.12 and go 1.13? This is more like a developer-oriented tool and we should constantly keep it using the latest go offering.

[caarlos0]

The replace directive is required by go1.13

does not seem to be, hence the build passing on go 1.13 🤔

[chenrui333]

I think the build passed, right?
https://travis-ci.org/goreleaser/goreleaser/builds/603598848

The dependabot PR build issue is indeed concerning, but I think that sounds like they need to do the environment update on their end, still waiting for their response on this though.

Travis CI - Test and Deploy Your Code with Confidence

[ldez]

The replace directive is required by go1.13: to be precise go mod tidy in go1.13 required the replace directive.

And go mod tidy is required to be able to update/add dependencies.

[ldez]

The CI need to validate the go.mod and go.sum

A quick way to validate that:

go mod tidy
git diff --exit-code go.mod
git diff --exit-code go.sum
go mod download

[caarlos0]

CI does that already:

• https://github.com/goreleaser/goreleaser/blob/master/.travis.yml#L17
• https://github.com/goreleaser/goreleaser/blob/master/Makefile#L52
• https://github.com/goreleaser/goreleaser/blob/master/Makefile#L45-L49

GitHub

goreleaser/goreleaser

Deliver Go binaries as fast and easily as possible - goreleaser/goreleaser

GitHub

goreleaser/goreleaser

Deliver Go binaries as fast and easily as possible - goreleaser/goreleaser

GitHub

goreleaser/goreleaser

Deliver Go binaries as fast and easily as possible - goreleaser/goreleaser

[chenrui333]

@ldez I believe it passed CI, it is just the dependabot environment needs to be updated to use latest golang. I works on go v1.13.3 but not v1.13 though.

[ldez]

I use go1.13.3 and I need to set the replace directive or I have an error:

$ go version
go version go1.13.3 linux/amd64

$ go mod tidy
go: code.gitea.io/gitea@v1.10.0-dev.0.20190711052757-a0820e09fbf7 requires
        github.com/go-macaron/cors@v0.0.0-20190309005821-6fd6a9bfe14e9: invalid pseudo-version: revision is longer than canonical (6fd6a9bfe14e)

$ go mod download
go: finding github.com/go-macaron/cors v0.0.0-20190309005821-6fd6a9bfe14e9
go: finding github.com/go-macaron/cors v0.0.0-20190309005821-6fd6a9bfe14e9
github.com/go-macaron/cors@v0.0.0-20190309005821-6fd6a9bfe14e9: invalid pseudo-version: revision is longer than canonical (6fd6a9bfe14e)

[chenrui333]

let me re-check. :)

[ldez]

@caarlos0 I find the tricks:

export GOPROXY = https://proxy.golang.org,https://gocenter.io,direct

I think that https://gocenter.io give the invalid pseudo version.

[chenrui333]

Good finding. Isn't the default goproxy goes to https://proxy.golang.org?

[ldez]

It's a fallback system: https://proxy.golang.org > https://gocenter.io > direct

Go modules services

[chenrui333]

That is right

That is what is in Makefile though:
https://github.com/goreleaser/goreleaser/blob/master/Makefile#L7-L8

[ldez]

I confirm: the problem come from https://gocenter.io

https://proxy.golang.org/github.com/go-macaron/cors/@v/v0.0.0-20190309005821-6fd6a9bfe14e9.info

https://search.gocenter.io/github.com~2Fgo-macaron~2Fcors/info?version=v0.0.0-20190309005821-6fd6a9bfe14e9

JFrog GoCenter - The Central GOPROXY for Go Modules

The largest Go modules repository featuring advanced search, rich metadata, gosumdb support, and free to the Golang community.

[caarlos0]

cc/ @ankushchadha

[elioengcomp]

Version v0.0.0-20190309005821-6fd6a9bfe14e9 works fine with previous versions of Go even though it has 13 digits for the commit hash part instead of the expected 12. Go 1.12 seems not to care about it:

→ export GOPROXY=https://gocenter.io/
→ go get github.com/go-macaron/cors@v0.0.0-20190309005821-6fd6a9bfe14e9

go: finding github.com/go-macaron/cors v0.0.0-20190309005821-6fd6a9bfe14e9
go: finding github.com/go-macaron/inject v0.0.0-20160627170012-d8a0b8677191
go: finding gopkg.in/ini.v1 v1.42.0
...

Google's proxy seems to have an opinion about the pseudoversion format which is compatible with Go 1.13, that is why it is returning an error when you try to fetch it from there.

→ export GOPROXY=https://proxy.golang.org
→ go get github.com/go-macaron/cors@v0.0.0-20190309005821-6fd6a9bfe14e9

go: finding github.com/go-macaron/cors v0.0.0-20190309005821-6fd6a9bfe14e9
go: github.com/go-macaron/cors@v0.0.0-20190309005821-6fd6a9bfe14e9: unexpected status (https://proxy.golang.org/github.com/go-macaron/cors/@v/v0.0.0-20190309005821-6fd6a9bfe14e9.info): 410 Gone
go: error loading module requirements

→ curl https://proxy.golang.org/github.com/go-macaron/cors/@v/v0.0.0-20190309005821-6fd6a9bfe14e9.info
not found: github.com/go-macaron/cors@v0.0.0-20190309005821-6fd6a9bfe14e9: invalid pseudo-version: revision is longer than canonical (6fd6a9bfe14e)

The fix should be move away from this version and use the latest v0.0.0-20190925001837-b0274f40d4c7 instead, which this PR seems to be doing already.

[ldez]

The problem comes because the date 20190309005821 is not the valid date for 6fd6a9bfe14e9 and the hash size problem (13 instead 12) go-macaron/cors@6fd6a9b

The fix should be move away from this version and use the latest v0.0.0-20190925001837-b0274f40d4c7 instead, which this PR seems to be doing already.

This PR do the inverse: use v0.0.0-20190309005821-6fd6a9bfe14e9 instead of a valid pseudo version.

[elioengcomp]

This PR do the inverse: use v0.0.0-20190309005821-6fd6a9bfe14e9 instead of a valid pseudo version.

Sorry, my mistake. We should move to the latest version of the dependency or fix the pseudoversion to be right one for that commit hash: v0.0.0-20190418220122-6fd6a9bfe14e.

The problem need to be fixed in gitea.

They apparently fixed it on v1.11.0-dev: https://search.gocenter.io/code.gitea.io~2Fgitea/info?version=v1.11.0-dev The best solution would be to move to the fixed version of the direct dependency and avoid the replace statement, since it is only processed for the root module and will make it harder for people to use goreleaser as a dependency.

[ldez]

github.com/go-macaron/cors is a dependency of code.gitea.io/sdk/gitea that does not contain any semver version.

I fixed the problem.

[github-actions]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.