Don't change published version tags to avoid go module checksum mismatch

[AdamSLevy]

Recently it appears that the v1.12.0 tag was moved to a different commit. https://github.com/andygrunwald/go-jira/tree/v1.12.0

This has caused breakage in any go code that was using this tag's previous location in their go.sum file.

$ go mod tidy
verifying github.com/andygrunwald/[email protected]: checksum mismatch
	downloaded: h1:lf2Y3VFMuYNPbgAiLBHVDXYbmXrA4+/++7D6EFHK7xk=
	go.sum:     h1:JJi2cEDmDxVtTXxC8ruLDbtOU6pA4OLeL0niyfNcoWw=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Changing a git tag is basically the equivalent to force-pushing a public branch and can cause breakage and headaches for anyone downstream. Please please please avoid this in the future. Tags must be immutable. The correct approach likely would have been to create a new tag: v1.12.1, assuming the change was a minor patch without altering functionality or API. No matter what, don't change a tag you have already pushed.

Since the damage is done, I highly suggest just leaving it alone now and leaving this issue open for anyone else who runs into the above error. Changing the tag again, even back to where it was previously, will cause further headaches for users who have since applied the following fix. Edit: see my follow up comment below.

The fix for downstream users is to simply remove the corresponding lines from their go.sum file, and clearing this module out of your module cache (# rm -rf $(go env GOMODCACHE)/github.com/andygrunwald/[email protected]) and allow it to be updated with the new checksum by running go mod tidy. Edit: see my follow up comment below.

If you are a downstream user and already have this module in your cache from before the tag was altered, then it won't be downloaded and the checksum will pass. But any new users who clone your repo will hit the above error.

[github-actions]

Hi! Thank you for taking the time to create your first issue! Really cool to see you here for the first time. Please give us a bit of time to review it.

[AdamSLevy]

Reviewing the diff between v1.12.0 and v1.13.0 I see that v1.12.0 is actually identical to v1.13.0 in terms of code. So I am going to amend my suggestion and recommend that you actually restore the location of the v1.12.0 tag to wherever it was before.

v1.12.0...v1.13.0

[andygrunwald]

Hey,

I am very sorry that this issue has been open for a long time with no final solution. We work on this project in our spare time, and sometimes, other priorities take over. This is the typical open source dilemma.

However, there is news: We are kicking off v2 of this library 🚀

To provide visibility, we created the Road to v2 Milestone and calling for your feedback in #489

The development will take some time; however, I hope you can benefit from the changes.
If you seek priority development for your issue + you like to sponsor it, please contact me.

What does this mean for my issue?

We will work on this issue indirectly.
This means that during the development phase, we aim to tackle it.
Maybe in a different way like it is currently handled.
Please understand that this will take a while because we are running this in our spare time.

Final words

Thanks for using this library.
If there is anything else you would like to tell us, let us know!