Extract go tool dependencies in seperate module#328
Conversation
Create tools/go.mod to isolate tool dependencies (golangci-lint, gci, gosec, govulncheck, gotestsum, setup-envtest, addlicense, mockgen) from the main module. This prevents tool-only indirect dependencies from polluting the project's go.mod and go.sum.
With tools now managed in tools/go.mod, remove the tool directive and run go mod tidy to drop ~220 indirect dependencies that were only needed by tools. This reduces go.mod from 317 to 97 lines.
Introduce GO_TOOL variable that wraps 'go tool -modfile=tools/go.mod' and update all tool invocations in the Makefile. Also update hack/sast.sh, hack/add-license-header.sh, and the go:generate directive in pkg/certificates/doc.go. The tidy target now tidies both modules. Update .gitignore to track tools/ but ignore tools/k8s/ (envtest binaries).
gardener-prow
bot
added
do-not-merge/needs-kind
|
@hyperspace-insights[bot]: The label(s) DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
gardener-prow
bot
added
kind/cleanup
Update all tool dependencies to their latest compatible versions. Pin github.com/denis-tingaikin/go-header to v0.5.0 as v1.0.0 has breaking API changes incompatible with golangci-lint v2.11.2.
Add tools/go.mod and tools/go.sum to the .dockerignore allowlist so they are included in the Docker build context. Download both root and tools module dependencies in the Dockerfile.
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: nickytd The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
gardener-prow
bot
added
the
approved
1 participant
How to categorize this PR?
/kind cleanup
/area oidc-apps
What this PR does / why we need it:
This PR extracts Go tool dependencies (golangci-lint, gci, gosec, govulncheck, gotestsum, mockgen, setup-envtest, addlicense) into a dedicated separate Go module located at
tools/go.mod, decoupling them from the rootgo.mod. This eliminates thetoolblock and all tool-only indirect dependencies from the root module, significantly reducing its dependency footprint. The Makefile is updated to define aGO_TOOLvariable usinggo tool -modfile=$(TOOLS_MOD)so all tool invocations reference the separate tools module, andtidynow runsgo mod tidyfor both modules. Thehack/add-license-header.sh,hack/sast.sh, andpkg/certificates/doc.goscripts are updated accordingly to pass the-modfileflag pointing totools/go.mod.Code changes:
tools/go.mod(and correspondingtools/go.sum) as a new separate Go module containing thetoolblock and all tool-related dependencies.toolblock and ~100+ tool-only indirect dependencies from the rootgo.mod/go.sum.TOOLS_MODandGO_TOOLvariables in theMakefile; replaced allgo tool <cmd>invocations with$(GO_TOOL) <cmd>; addedcd $(TOOLS_DIR) && go mod tidyto thetidytarget..gitignoreto tracktools/k8s/(previously ignored all oftools/).hack/add-license-header.shandhack/sast.shto use-modfile=${root_dir}/tools/go.mod.pkg/certificates/doc.gogo:generatedirective to use-modfile=../../tools/go.mod.Additional context:
Separating tool dependencies into their own module is a best practice that prevents tool-only transitive dependencies from polluting the main module's dependency graph, speeds up
go mod tidyfor the main module, and avoids unintended version conflicts between application and tooling dependencies.Which issue(s) this PR fixes:
N/A
Special notes for your reviewer:
Release note:
📬 Subscribe to the Hyperspace PR Bot DL to get the latest announcements and pilot features!
PR Bot Information
Version:
1.17.97| 📖 Documentation | 🚨 Create Incident | 💬 Feedbackissue_comment.editeda05ee980-1b7e-11f1-8011-dd61de74cfec