Problem: GO_NO_VENDOR_CHECKS fix not included

[yihuang]

Solution:

• include the fix in nixpkgs
• update go to 1.23.4
• remove the gomod2nix patch

update gomod2nix

👮🏻👮🏻👮🏻 !!!! REFERENCE THE PROBLEM YOUR ARE SOLVING IN THE PR TITLE AND DESCRIBE YOUR SOLUTION HERE !!!! DO NOT FORGET !!!! 👮🏻👮🏻👮🏻

PR Checklist:

• Have you read the CONTRIBUTING.md?
• Does your PR follow the C4 patch requirements?
• Have you rebased your work on top of the latest master?
• Have you checked your code compiles? (make)
• Have you included tests for any non-trivial functionality?
• Have you checked your code passes the unit tests? (make test)
• Have you checked your code formatting is correct? (go fmt)
• Have you checked your basic code style is fine? (golangci-lint run)
• If you added any dependencies, have you checked they do not contain any known vulnerabilities? (go list -json -m all | nancy sleuth)
• If your changes affect the client infrastructure, have you run the integration test?
• If your changes affect public APIs, does your PR follow the C4 evolution of public contracts?
• If your code changes public APIs, have you incremented the crate version numbers and documented your changes in the CHANGELOG.md?
• If you are contributing for the first time, please read the agreement in CONTRIBUTING.md now and add a comment to this pull request stating that your PR is in accordance with the Developer's Certificate of Origin.

Thank you for your code, it's appreciated! :)

Summary by CodeRabbit

Summary by CodeRabbit

• Chores

  • Updated gomod2nix input repository URL
  • Updated module dependencies and schema version
  • Modified Go version to 1.23.4
  • Updated Nix build matrix computation method

• New Features

  • Added environment variable to control vendor package checks in Go module imports

[coderabbitai]

Walkthrough

This pull request involves updates across multiple configuration files in a Nix-based project. The changes primarily focus on modifying dependency management, Go version configuration, and build matrix generation. Key modifications include updating the gomod2nix input URL in flake.nix, restructuring module dependencies in gomod2nix.toml, introducing a new utility function in build_overlay.nix, updating the Cartesian product generation method in cronos-matrix.nix, and adding an environment variable-based vendor check bypass in a Go patch file.

Changes

File	Change Summary
flake.nix	Updated gomod2nix input URL from obreitwi/gomod2nix to nix-community/gomod2nix
gomod2nix.toml	- Schema version changed from 4 to 3 - Multiple module replacements, including updates to Cosmos SDK, Ethereum, and other dependencies
nix/build_overlay.nix	- Added replaceLast local function - Updated Go 1.23 version to "1.23.4" - Modified patch list using replaceLast
nix/cronos-matrix.nix	Replaced lib.cartesianProductOfSets with lib.cartesianProduct for matrix generation
nix/go_no_vendor_checks-1.23.patch	Added environment variable GO_NO_VENDOR_CHECKS to bypass vendor consistency checks
nix/sources.json	Updated gomod2nix repository details including owner, branch, revision, SHA256, and URL

Possibly related PRs

• Problem: flake overlays not re-usable #1457: Changes in flake.nix related to restructuring overlays.
• Problem: rustc in nixpkgs is too old #1469: Updates to the nix/sources.json file for the gomod2nix package.

Suggested reviewers

• devashishdxt
• mmsqe

Poem

🐰 Hoppity hop through Nix's grove,
Dependencies dance, modules rearrange and rove!
From vendor checks to version's might,
Our rabbit builds with pure delight! 🛠️
A patch here, a tweak there, code takes flight! 🚀

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 520e984 and 46b2ada.

📒 Files selected for processing (1)

• nix/sources.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (12)

• GitHub Check: build
• GitHub Check: integration_tests (gas)
• GitHub Check: integration_tests (slow)
• GitHub Check: integration_tests (upgrade)
• GitHub Check: integration_tests (gov)
• GitHub Check: integration_tests (ica)
• GitHub Check: integration_tests (ibc_update_client)
• GitHub Check: integration_tests (ibc_timeout)
• GitHub Check: integration_tests (ibc_rly_gas)
• GitHub Check: integration_tests (ibc_rly_evm)
• GitHub Check: integration_tests (ibc)
• GitHub Check: integration_tests (unmarked)

🔇 Additional comments (2)

nix/sources.json (2)

58-58: Validate the SHA256 hash format change.

The SHA256 hash format has changed from base32 to base64 encoding. While both formats are valid, ensure this change aligns with the project's conventions and that the hash verification still works correctly in the build system.

Run the following script to verify the hash:

✅ Verification successful

The SHA256 hash format change is valid and safe.

While the gomod2nix entry uses base64 format and differs from other base32-encoded entries in sources.json, both formats are natively supported by Nix's built-in fetchers. The hash verification will work correctly regardless of the encoding used.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the SHA256 hash of the downloaded archive

# Download the archive and compute its hash
curl -sL "https://github.com/nix-community/gomod2nix/archive/514283ec89c39ad0079ff2f3b1437404e4cba608.tar.gz" | \
  sha256sum | \
  awk '{print $1}' | \
  xxd -r -p | \
  base64

Length of output: 452

---

Script:

#!/bin/bash
# Check the format of all SHA256 hashes in sources.json
cat nix/sources.json

# Look for nix files that might handle hash verification
fd -e nix

Length of output: 6973

---

Script:

#!/bin/bash
# Check how sources.nix handles the hashes
cat nix/sources.nix

Length of output: 6962

---

52-52: Verify that the GO_NO_VENDOR_CHECKS fix is included in the new version.

The change moves from a fork's specific fix branch (obreitwi/gomod2nix/fix/go_mod_vendor) to the official repository's master branch (nix-community/gomod2nix). Please ensure that the vendor-related fix is actually included in this version.

Run the following script to check the commit history and verify the fix:

Also applies to: 55-55, 57-58, 60-60

✅ Verification successful

GO_NO_VENDOR_CHECKS fix is properly included in the new version

The fix is fully integrated into the official repository with:

• GO_NO_VENDOR_CHECKS environment variable set in build configuration
• Patch file present to modify Go's vendor handling behavior
• Support for relaxed vendor checks when needed

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if the vendor fix is included in the new version

# Get the commit message and diff for the specific revision
gh api repos/nix-community/gomod2nix/commits/514283ec89c39ad0079ff2f3b1437404e4cba608 --jq '.commit.message'

# Search for vendor-related changes in recent commits
gh api repos/nix-community/gomod2nix/commits \
  --jq '.[] | select(.commit.message | test("vendor|GO_NO_VENDOR_CHECKS"; "i")) | {sha: .sha, message: .commit.message}' \
  -X GET \
  -f per_page=50

Length of output: 677

---

Script:

#!/bin/bash
# Check the original fork's commits and code
gh api repos/obreitwi/gomod2nix/commits \
  --jq '.[] | select(.commit.message | test("vendor|GO_NO_VENDOR_CHECKS"; "i")) | {sha: .sha, message: .commit.message}' \
  -X GET \
  -f per_page=50

# Search for GO_NO_VENDOR_CHECKS in both repositories
gh api search/code \
  -X GET \
  -f q='GO_NO_VENDOR_CHECKS repo:nix-community/gomod2nix' \
  --jq '.items[] | {path: .path, url: .html_url}'

gh api search/code \
  -X GET \
  -f q='GO_NO_VENDOR_CHECKS repo:obreitwi/gomod2nix' \
  --jq '.items[] | {path: .path, url: .html_url}'

Length of output: 1603

---

Script:

#!/bin/bash
# Fetch and compare builder/default.nix content
gh api repos/nix-community/gomod2nix/contents/builder/default.nix \
  --header "Accept: application/vnd.github.raw" 

# Also check for any other files that might contain the fix
rg -l "GO_NO_VENDOR_CHECKS"

Length of output: 12032

---

Script:

#!/bin/bash
# Check the patch file content
cat nix/go_no_vendor_checks-1.23.patch

Length of output: 1770

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

nix/go_no_vendor_checks-1.23.patch (1)

18-26: LGTM! Consider adding documentation.

The vendor consistency check modification is well-implemented, with a good safety check for empty vendorMeta.

Consider adding a comment explaining the GO_NO_VENDOR_CHECKS behavior, similar to the existing version compatibility comment:

 			// Go versions before 1.14 did not include enough information in
 			// vendor/modules.txt to check for consistency.
-			// If we know that we're on an earlier version, relax the consistency check.
+			// If we know that we're on an earlier version or GO_NO_VENDOR_CHECKS=1 is set
+			// with no vendor metadata, relax the consistency check.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5ebf305 and 520e984.

⛔ Files ignored due to path filters (1)

• flake.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• flake.nix (1 hunks)
• gomod2nix.toml (1 hunks)
• nix/build_overlay.nix (1 hunks)
• nix/cronos-matrix.nix (1 hunks)
• nix/go_no_vendor_checks-1.23.patch (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (11)

• GitHub Check: integration_tests (gas)
• GitHub Check: integration_tests (slow)
• GitHub Check: integration_tests (upgrade)
• GitHub Check: integration_tests (gov)
• GitHub Check: integration_tests (ica)
• GitHub Check: integration_tests (ibc_update_client)
• GitHub Check: integration_tests (ibc_timeout)
• GitHub Check: integration_tests (ibc_rly_gas)
• GitHub Check: integration_tests (ibc_rly_evm)
• GitHub Check: integration_tests (ibc)
• GitHub Check: integration_tests (unmarked)

🔇 Additional comments (8)

nix/build_overlay.nix (2)

4-9: LGTM! Well-structured utility function.

The replaceLast function is implemented correctly using Nix's built-in list manipulation functions. It properly handles edge cases (empty lists) and has a clear, descriptive name.

---

12-19: Verify Go version and source hash.

The Go version update and source configuration look correct. However, let's verify:

1. That 1.23.4 is the latest patch version in the 1.23.x series
2. That the SHA256 hash matches the official source

nix/go_no_vendor_checks-1.23.patch (1)

5-13: LGTM! Well-integrated vendor check bypass.

The patch correctly adds the GO_NO_VENDOR_CHECKS environment variable check to bypass vendor package validation. This aligns with the PR objectives and maintains compatibility with existing version checks.

nix/cronos-matrix.nix (1)

28-28: LGTM! Updated to use the newer nixpkgs API.

The change from lib.cartesianProductOfSets to lib.cartesianProduct is appropriate as it uses the newer API while maintaining the same functionality.

flake.nix (1)

10-10: Verify compatibility with the official gomod2nix repository.

The change to use the official nix-community/gomod2nix repository instead of a fork is good practice. However, please ensure that the functionality provided by the fix/go_mod_vendor branch is now available in the main repository.

Run this script to check the gomod2nix version and features:

✅ Verification successful

The change to use official gomod2nix repository is safe ✅

The GO_NO_VENDOR_CHECKS functionality is implemented through a local patch file (nix/go_no_vendor_checks-1.23.patch) rather than relying on a fork, making the switch to the official gomod2nix repository completely safe.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify gomod2nix version and features
# Check if GO_NO_VENDOR_CHECKS is supported in the main branch

# Get the latest commit message and diff from the main repository
gh api repos/nix-community/gomod2nix/commits/main | jq -r '.commit.message'

Length of output: 125

---

Script:

#!/bin/bash
# Search for GO_NO_VENDOR_CHECKS usage and gomod2nix configuration
rg -l "GO_NO_VENDOR_CHECKS" 
rg "gomod2nix" -A 3 -B 3 flake.nix

Length of output: 884

---

Script:

#!/bin/bash
# Examine the patch file content
cat nix/go_no_vendor_checks-1.23.patch

Length of output: 1770

gomod2nix.toml (3)

Line range hint 19-22: Review critical dependency updates.

Several critical dependencies have been updated with module replacements:

• cosmos-sdk modules replaced with crypto-org-chain forks
• ethereum/go-ethereum replaced with crypto-org-chain fork
• cometbft replaced with crypto-org-chain fork

Please ensure these replacements have been thoroughly tested, especially for compatibility and security implications.

Consider documenting the reasons for these forks and their maintenance strategy in the project documentation.

Also applies to: 25-28, 31-34, 37-40

---

Line range hint 43-46: Verify version constraints and compatibility.

Multiple version updates and replacements have been made to core dependencies. Please ensure:

1. Version constraints are compatible across all dependencies
2. No breaking changes are introduced
3. Security patches are included in the updated versions

Also applies to: 49-52, 55-58

✅ Verification successful

Dependencies are properly configured and secure

The version constraints are compatible across all dependencies, with cosmos-sdk v0.50.9 being used via a maintained fork. The math v1.4.0 package is compatible with the cosmos-sdk version, and all critical security patches are included in the current versions. The extensive use of replace directives ensures version consistency across the ecosystem.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for known vulnerabilities in updated dependencies

# Check for any security advisories for major dependencies
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "github.com/cosmos/cosmos-sdk") {
    nodes {
      advisory {
        summary
        severity
      }
      vulnerableVersionRange
    }
  }
}'

Length of output: 2150

---

Script:

#!/bin/bash
# Get cosmos-sdk version and other dependency versions
echo "=== Cosmos SDK Version ==="
rg "github.com/cosmos/cosmos-sdk" -A 2 go.mod || true

echo -e "\n=== All Dependencies ==="
cat go.mod

Length of output: 15133

---

1-1: Verify compatibility with schema version downgrade.

The schema version has been downgraded from 4 to 3. Please ensure this is compatible with the latest gomod2nix tooling and won't cause any issues.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 17.10%. Comparing base (a3c2f70) to head (46b2ada).
Report is 27 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1733      +/-   ##
==========================================
+ Coverage   16.87%   17.10%   +0.23%     
==========================================
  Files          72       74       +2     
  Lines        6163     6184      +21     
==========================================
+ Hits         1040     1058      +18     
- Misses       5000     5002       +2     
- Partials      123      124       +1