Consider the following scenario. I commit a version of my project and I'm happy with the dependencies and their versions that are listed in my go.mod file. I push my code to the central repo and the CI starts to build the project with go get or go install. Because the CI builds for a GOOS/GOARCH pair that I did not try On My Machine, the list of .go files to be built changes. One of the newly added files has a dependency on a module that is not yet recorded in the go.mod file. go get/install promptly adds the dependency and fetches it from the internet.
As a result, I get a binary that is built with dependencies that I don't know about, the versions of the dependencies being whatever was freshest that day. How do I prevent this situation? I do not want to forbid go get/install to fetch modules from the internet with GOPROXY. I'm fine that go get/install fetches the dependencies with versions/hashes recorded in go.mod and go.sum. I would only like for the build to fail if there are missing dependencies. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
