ci: fail vendor check when vendor/, go.mod or go.sum drift#517
Closed
frobware wants to merge 3 commits into
Closed
ci: fail vendor check when vendor/, go.mod or go.sum drift#517frobware wants to merge 3 commits into
frobware wants to merge 3 commits into
Conversation
The "Check clean vendors" step previously ran `go mod vendor` but discarded the result, so a pull request could leave `vendor/`, `go.mod` or `go.sum` out of sync with the module graph and CI would still pass. In particular, when a contributor runs `go mod vendor` locally but forgets to `git add` newly created vendor directories, the resulting tree builds against the module proxy yet fails when later consumed with `-mod=vendor`. Run `go mod vendor` and then assert with `git status --porcelain` that no tracked changes and no untracked entries remain under `vendor/`, `go.mod` or `go.sum`. `git diff --exit-code` alone is insufficient because it ignores untracked files, which is precisely the failure mode we need to catch. On failure, print the offending paths and the diff to make the cause obvious in the workflow log. Signed-off-by: Andrew McDermott <amcdermo@redhat.com>
frobware
force-pushed
the
fix/ci-verify-clean-vendors
branch
from
b1c868c to
a1ebb98
Compare
alebedev87
reviewed
May 5, 2026
Contributor
alebedev87
left a comment
alebedev87
left a comment
There was a problem hiding this comment.
Just one small suggestion.
Co-authored-by: Andrey Lebedev <alebedev87@gmail.com> Signed-off-by: Andrew McDermott <amcdermo@redhat.com>
The "Check clean vendors" step runs `go mod tidy` followed by `go mod vendor`, but the diagnostic emitted on drift only mentioned `go mod vendor`. Update the message to name both commands so the workflow log makes the full reproducer self-evident. Signed-off-by: Andrew McDermott <amcdermo@redhat.com>
frobware
force-pushed
the
fix/ci-verify-clean-vendors
branch
from
d732a1e to
597116f
Compare
Contributor
Author
|
Going with #516. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
Check clean vendorsstep in.github/workflows/pull_request.ymlrango mod vendorand discarded the result. A pull request that leftvendor/,go.modorgo.sumout of sync with the module graph would still pass this check.This was not theoretical. PR #516 illustrates the exact failure mode: the contributor ran
go mod vendorlocally, updatedgo.mod/go.sum/vendor/modules.txt, but did notgit addthree newly created top-level directories undervendor/:vendor/github.com/spf13/afero/vendor/golang.org/x/text/runes/vendor/sigs.k8s.io/controller-runtime/tools/The resulting tree builds against the module proxy but fails when consumed with
-mod=vendor, which is whatmake testends up doing viago run sigs.k8s.io/controller-runtime/tools/setup-envtest. CI on #516 has not yet executed (workflow is inaction_requiredpending maintainer approval, so the breakage is latent rather than red.Change
Run
go mod vendorand then assert withgit status --porcelainthat no tracked modifications and no untracked entries remain undervendor/,go.modorgo.sum. On failure, print the offending paths and the diff so the workflow log makes the cause obvious.git diff --exit-codealone is insufficient: it ignores untracked files, which is precisely the failure mode we need to catch. The bundle verification step a few lines below usesgit diff --exit-codebecause regenerating the bundle modifies tracked files only; vendor regeneration can also create new directories, so it needs the stricter check.Verification
Reproducer against PR #516's tree on a clean checkout:
With this PR's check inlined, the workflow would have exited 1 with the three offending paths printed.
Test plan
main).git add vendor/, the verify job fails on the new check rather than silently passing.