Report Go module version and checksum

[JamieEdge]

At present, when installing Task using go install, the version is reported as master.

$ go version
go version go1.16.3 darwin/amd64
$ go install github.com/go-task/task/v3/cmd/task@latest
$ task --version
Task version: master

As of Go 1.16, go install uses module-aware mode by default. As a result, the module version and checksum is stored within the binary.

$ go version -m $(which task)
/Users/jamie/go/bin/task: go1.16.3
	path	github.com/go-task/task/v3/cmd/task
	mod	github.com/go-task/task/v3	v3.3.0	h1:IfyT0z7a8ap4ag2nIDRkx+bkTN9S3AFED6SqBFnuHqU=
	dep	github.com/fatih/color	v1.7.0	h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
	dep	github.com/go-task/slim-sprig	v0.0.0-20210107165309-348f09dbbbc0	h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
	dep	github.com/joho/godotenv	v1.3.0	h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
	dep	github.com/mattn/go-colorable	v0.1.2	h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx8mU=
	dep	github.com/mattn/go-isatty	v0.0.8	h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE=
	dep	github.com/mattn/go-zglob	v0.0.1	h1:xsEx/XUoVlI6yXjqBK062zYhRTZltCNmYPx6v+8DNaY=
	dep	github.com/radovskyb/watcher	v1.0.5	h1:wqt7gb+HjGacvFoLTKeT44C+XVPxu7bvHvKT1IvZ7rw=
	dep	github.com/spf13/pflag	v1.0.5	h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
	dep	golang.org/x/sync	v0.0.0-20201020160332-67f06af15bc9	h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF+0wMqRXT4St8ck=
	dep	golang.org/x/sys	v0.0.0-20201029080932-201ba4db2418	h1:HlFl4V6pEMziuLXyRkm5BIYq1y1GAbb02pRlWvI54OM=
	dep	golang.org/x/term	v0.0.0-20191110171634-ad39bd3f0407	h1:5zh5atpUEdIc478E/ebrIaHLKcfVvG6dL/fGv7BcMoM=
	dep	gopkg.in/yaml.v3	v3.0.0-20200313102051-9f266ea9e77c	h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
	dep	mvdan.cc/sh/v3	v3.2.4	h1:+fZaWcXWRjYAvqzEKoDhDM3DkxdDUykU2iw0VMKFe9s=

Version Reporting

This pull request improves version reporting by reading the module version and checksum from BuildInfo.

The main.version symbol remains so that a commit hash can be written when building from source using task install, although it should not be written to in other build scenarios (e.g. when creating release builds). As such, to suppress the -X main.version=... linker argument, the default GoReleaser ldflags build configuration option is overridden so that only the -s -w flags are used.

GoReleaser Verifiable Builds

Published binaries do not currently contain module version and checksum information.

$ curl -sSL -o task.tar.gz https://github.com/go-task/task/releases/download/v3.3.0/task_darwin_amd64.tar.gz
$ tar -zxf task.tar.gz
$ go version -m task
task: go1.15.10
	path	command-line-arguments
	mod	github.com/go-task/task/v3	(devel)	
	dep	github.com/fatih/color	v1.7.0	h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
	dep	github.com/go-task/slim-sprig	v0.0.0-20210107165309-348f09dbbbc0	h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
	dep	github.com/joho/godotenv	v1.3.0	h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
	dep	github.com/mattn/go-colorable	v0.1.2	h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx8mU=
	dep	github.com/mattn/go-isatty	v0.0.8	h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE=
	dep	github.com/mattn/go-zglob	v0.0.1	h1:xsEx/XUoVlI6yXjqBK062zYhRTZltCNmYPx6v+8DNaY=
	dep	github.com/radovskyb/watcher	v1.0.5	h1:wqt7gb+HjGacvFoLTKeT44C+XVPxu7bvHvKT1IvZ7rw=
	dep	github.com/spf13/pflag	v1.0.5	h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
	dep	golang.org/x/sync	v0.0.0-20201020160332-67f06af15bc9	h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF+0wMqRXT4St8ck=
	dep	golang.org/x/sys	v0.0.0-20201029080932-201ba4db2418	h1:HlFl4V6pEMziuLXyRkm5BIYq1y1GAbb02pRlWvI54OM=
	dep	golang.org/x/term	v0.0.0-20191110171634-ad39bd3f0407	h1:5zh5atpUEdIc478E/ebrIaHLKcfVvG6dL/fGv7BcMoM=
	dep	gopkg.in/yaml.v3	v3.0.0-20200313102051-9f266ea9e77c	h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
	dep	mvdan.cc/sh/v3	v3.2.4	h1:+fZaWcXWRjYAvqzEKoDhDM3DkxdDUykU2iw0VMKFe9s=

To address this, the verifiable builds option of GoReleaser has been enabled, meaning that Task will be obtained from the Go modules proxy before being built. As this option does not affect snapshot builds and instead requires that a tagged commit is built, I have been unable to verify that module details are added to the build information of binaries as expected. This is something which I would advise to test before merging to the main branch, otherwise release binaries might display unknown as their version.

[andreynering]

@JamieEdge Sweet! Thanks a lot for this improvement and for the detailed explanation. 😄

[andreynering]

Unfortunately I had to revert this change at e79354a in order to be able to release using Goreleaser. Goreleaser didn't seem to find the v3.4.0 release from the proxy despite the fact that the tag was already published to GitHub. I even retried it once.

@caarlos0 Sorry for pinging you, but do you have any idea on how to try to fix this so we can try again in the next release?

Here's the link to the build: https://github.com/go-task/task/runs/2371209371?check_suite_focus=true

Here's the output:

✅ GoReleaser version found: v0.162.0
⬇️ Downloading https://github.com/goreleaser/goreleaser/releases/download/v0.162.0/goreleaser_Linux_x86_64.tar.gz...
📦 Extracting GoReleaser...
/usr/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/b54d2dbf-8f16-4605-aa4b-2f517316cf00 -f /home/runner/work/_temp/6ff1a15c-ffa3-4262-901f-794056fd077e
✅ v3.4.0 tag found for commit '47e21a1'
🏃 Running GoReleaser...
/opt/hostedtoolcache/goreleaser-action/0.162.0/x64/goreleaser release --rm-dist
   • releasing...     
   • loading config file       file=.goreleaser.yml
   • loading environment variables
   • getting and validating git state
      • releasing v3.4.0, commit 47e21a1c6226198aecde3b54134d0bdcad212297
   • parsing tag      
   • running before hooks
   • setting defaults 
      • snapshotting     
      • github/gitlab/gitea releases
      • project name     
      • loading go mod information
      • building binaries
         • DEPRECATED: skipped darwin/arm64 build on Go < 1.16 for compatibility, check https://goreleaser.com/deprecations/#builds-for-darwinarm64 for more info.
      • creating source archive
      • archives         
      • linux packages   
      • snapcraft packages
      • calculating checksums
      • signing artifacts
      • docker images    
      • artifactory      
      • blobs            
      • homebrew tap formula
      • scoop manifests  
      • milestones       
   • snapshotting     
      • pipe skipped              error=not a snapshot
   • checking ./dist  
   • loading go mod information
      • proxying github.com/go-task/task/v3@v3.4.0 to build github.com/go-task/task/v3/cmd/task/task.go
   ⨯ release failed after 2.11s error=failed to proxy module: exit status 1: go: downloading github.com/go-task/task/v3 v3.4.0
go: finding module for package github.com/go-task/task/v3/cmd/task/task.go
go: downloading github.com/go-task/task v1.4.4
go: downloading github.com/go-task/task v2.2.0+incompatible
task imports
	github.com/go-task/task/v3/cmd/task/task.go: module github.com/go-task/task/v3@latest found (v3.4.0), but does not contain package github.com/go-task/task/v3/cmd/task/task.go

Error: The process '/opt/hostedtoolcache/goreleaser-action/0.162.0/x64/goreleaser' failed with exit code 1

[caarlos0]

@caarlos0 Sorry for pinging you, but do you have any idea on how to try to fix this so we can try again in the next release?

no idea, can you check whats inside dist/proxy/<BUILD ID>? Maybe go build from that folder and see what happens?

It seems that it did find the version, just not the package github.com/go-task/task/v3/cmd/task/task.go (weird thing having .go on the package name as well 🤔 )

[andreynering]

It worked now guys.

Thanks @JamieEdge and @caarlos0! 🎉