chore: relax go directive to permit 1.22.x #384
Conversation
Now that sigstore/sigstore#1878 and sigstore/rekor#2323 have both landed in tagged release we can pull those updates into sigstore-go and similarly relax the go.mod go directive here to 1.22.0 as well. The go directive sets the minimum version of Go required to use this module. There's no need to set this to the latest semver patch version of a given Go release unless the semantics of that version of Go are required to build/test/use the module. Ref: https://go.dev/ref/mod#go-mod-file-go Signed-off-by: Dominic Evans <[email protected]>
| github.com/sigstore/rekor v1.3.7 // indirect | ||
| github.com/sigstore/timestamp-authority v1.2.3 // indirect | ||
| github.com/sigstore/rekor v1.3.8 // indirect | ||
| github.com/sigstore/timestamp-authority v1.2.2 // indirect |
There was a problem hiding this comment.
Was timestamp-authority downgraded by accident??
There was a problem hiding this comment.
No, it’s an indirect dep and has been downgraded elsewhere, presumably because the current version has a higher go directive. It’ll need similar changes to this repo to bring it in-line
There was a problem hiding this comment.
Raised sigstore/timestamp-authority#927 for that one
There was a problem hiding this comment.
Looking at the version tag comparison sigstore/timestamp-authority@v1.2.2...v1.2.3 it seems to be 95% dependabot dependency bumps and only sigstore/timestamp-authority#644 is a functional change, which is in CLI tooling that doesn't effect the import usage here, so I think it is fine for it to be downgraded in the meantime anyway
There was a problem hiding this comment.
We can cut a new release of timestamp-authority with the downgrade.
There was a problem hiding this comment.
There was a problem hiding this comment.
Now that v1.2.4 is available with a similar go1.22.0 we can bump it back up again. Added a commit to bump timestamp-authority
There was a problem hiding this comment.
Should this go mod file be updated as well?
There was a problem hiding this comment.
Yep fixed with new commit to do that and go mod tidy
Also bumped toolchain to latest go1.23.5 as that has been released in the interim too
Now that v1.2.4 is available with a similar go1.22.0 we can bump it back up again. Signed-off-by: Dominic Evans <[email protected]>
Also bump toolchain to latest go1.23.5 as that has been released in the interim Signed-off-by: Dominic Evans <[email protected]>
Summary
Now that sigstore/sigstore#1878 and sigstore/rekor#2323 have both landed in tagged release we can pull those updates into sigstore-go and similarly relax the go.mod go directive here to 1.22.0 as well.
The go directive sets the minimum version of Go required to use this module. There's no need to set this to the latest semver patch version of a given Go release unless the semantics of that version of Go are required to build/test/use the module.
Ref: https://go.dev/ref/mod#go-mod-file-go
Release Note
NONE
Documentation
NONE