Fix go install method of installation #716
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Cosign's installation instructions tell users to run
go install github.com/sigstore/cosign/cmd/cosign@latest
. This installation method appears to have been broken since fb04df8 (via #637), when areplace
directive was added togo.mod
.The
replace
block was downgrading a few K8s modules (k8s.io/api
,k8s.io/apimachinery
, andk8s.io/client-go
) to a slightly older version (fromv0.22.1
tov0.21.4
). Presumably, this was done because #637 also introduced a dependency on the moduleknative.dev/pkg
, which is not compatible withv0.22.1
of the K8s modules.A more stable alternative solution to this problem is to adjust the K8s module versions in the
require
block to the desired version (v0.21.4
). Because of how MVS works, once none of the K8s modules in the module graph need a version as new asv0.22.1
, Go will select versionv0.21.4
for these modules, which resolves the issue withknative.dev/pkg
, which allows all cosign builds to succeed.Thus, this PR makes the above updates to the
require
block and removes thereplace
block.Testing
This fix can be verified in a clean environment via Docker. This command installs Cosign using a testing branch in my fork of Cosign:
This test:
GOPRIVATE
in order to bypass the Go proxy, to ensure the fork code is used directlyfix-go-install--testing
. This is because I needed to set the module name ingo.mod
togithub.com/luhring/cosign
so thatgo install
doesn't error out early.Ticket Link
Fixes #588
Release Note
Signed-off-by: Dan Luhring [email protected]