move to dep

[adnxn]

Summary

Use dep instead of godep.

$ dep version
dep:
version : v0.3.2
build date : 2017-10-19
git hash : 8ddfc8a
go version : go1.9
go compiler : gc
platform : linux/amd64

Implementation details

See agent/Gopkg.toml and agent/Gopkg.lock.

Testing

• Builds on Linux (make release)
• Builds on Windows (go build -out amazon-ecs-agent.exe ./agent)
• Unit tests on Linux (make test) pass
• Unit tests on Windows (go test -timeout=25s ./agent/...) pass
• Integration tests on Linux (make run-integ-tests) pass
• Integration tests on Windows (.\scripts\run-integ-tests.ps1) pass
• Functional tests on Linux (make run-functional-tests) pass
• Functional tests on Windows (.\scripts\run-functional-tests.ps1) pass

New tests cover the changes:
no

Description for the changelog

Licensing

This contribution is under the terms of the Apache 2.0 License:
yes

[petderek]

What do you think about locking everything to the commit that is referenced in the old Godeps.json file? It would potentially reduce the blast radius.

[adnxn]

what about locking dependencies to tags and upgrade to nearest tagged version where it makes sense. ill add a separate commit for each dependency i lock to a new version. cause as we were saying earlier, tagging to revisions doesn't really provide guarantees. we can definitely do some things to reduce blast radius though.

[jahkeup]

Assuming that the Gopkg.lock contains the same commits as the previous Gopkg.json file had for our deps I think it's okay to migrate this way.

[petderek]

I'm fine with either strategy we discussed.

[vsiddharth]

Quoting the original document from dep

dep is a prototype dependency management tool for Go. It requires Go 1.8 or newer to compile.
dep is the official experiment, but not yet the official tool. 

Even though dep is safe for production, I'm not totally sure of switching to it yet!

[adnxn]

It requires Go 1.8 or newer to compile.

Even though dep is safe for production, I'm not totally sure of switching to it yet!

hrm that's true, we should consider this.

/cc @aaithal, @jahkeup

what do you think?

[jahkeup]

The Makefile will also need to be updated to account for this change, which will require that we also bump the version of go used for the travis build. Though I'm happy to start using dep, we need to verify we are ready to update go. This looks great otherwise 👍

[samuelkarp]

I don't think we need to bump Go. I think the dep tool needs Go 1.8 to be compiled itself, but our code should only rely on Go >= 1.5 (with GO15VENDOREXPERIMENT).

[samuelkarp]

This now needs a rebase, since Godeps.json has been modified.

[vsiddharth]

Changes LGTM 🚀

• Document the new behavior someplace
• Use versions for constraints when applicable (outside this PR)

[samuelkarp]

Can you remove this file from this intermediate commit?

[samuelkarp]

Looks good after you remove that file from the intermediate commit. Thanks for doing this!

[aaithal]