✨ hack/verify-go-modules.sh: compare dependency versions

[gman0]

Summary

This PR adds checks for go.mod dependencies, verifying the versions used in our modules are the same as the ones used declared by k8s.io/kubernetes module. When rebasing or otherwise bringing in dependency updates, they can break our code -- see #3283 (comment) for example. Just following the recommendations from this script, the issue I've just linked to was solved in a couple of minutes instead of regrettably spending a day or two debugging different things... :D

The checks only report warnings if our deps are more than a patch version apart with k8s.io/kubernetes, but never return non-zero exit code to not fail CI in cases when we want to use different versions deliberately.

Example output:

$ make verify-modules
hack/update-go-modules.sh
Tidying /tmp/ws/kcp-rebase/kcp/cli
Tidying /tmp/ws/kcp-rebase/kcp/docs/generators/cli-doc
Tidying /tmp/ws/kcp-rebase/kcp/sdk
Tidying /tmp/ws/kcp-rebase/kcp
hack/verify-go-modules.sh
Verifying /tmp/ws/kcp-rebase/kcp/cli
Verifying dependency versions in /tmp/ws/kcp-rebase/kcp/cli/go.mod against /home/rvasek/go/pkg/mod/cache/download/github.com/kcp-dev/kubernetes/@v/v0.0.0-20250223141144-b901243fc922.mod
Warning: version mismatch: has golang.org/x/[email protected], but v0.26.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.7.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.21.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.21.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.16.0 expected
Verifying /tmp/ws/kcp-rebase/kcp/docs/generators/cli-doc
Verifying dependency versions in /tmp/ws/kcp-rebase/kcp/docs/generators/cli-doc/go.mod against /home/rvasek/go/pkg/mod/cache/download/github.com/kcp-dev/kubernetes/@v/v0.0.0-20250223141144-b901243fc922.mod
Warning: version mismatch: has github.com/go-openapi/[email protected], but v0.19.6 expected
Warning: version mismatch: has github.com/go-openapi/[email protected], but v0.20.2 expected
Warning: version mismatch: has github.com/go-openapi/[email protected], but v0.22.4 expected
Warning: version mismatch: has github.com/mailru/[email protected], but v0.7.7 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.26.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.7.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.21.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.21.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.16.0 expected
Warning: version mismatch: has google.golang.org/[email protected], but v1.34.2 expected
Verifying /tmp/ws/kcp-rebase/kcp/sdk
Verifying dependency versions in /tmp/ws/kcp-rebase/kcp/sdk/go.mod against /home/rvasek/go/pkg/mod/cache/download/github.com/kcp-dev/kubernetes/@v/v0.0.0-20250223141144-b901243fc922.mod
Warning: version mismatch: has golang.org/x/[email protected], but v0.24.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.26.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.7.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.21.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.21.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.16.0 expected
Verifying /tmp/ws/kcp-rebase/kcp
Verifying dependency versions in /tmp/ws/kcp-rebase/kcp/go.mod against /home/rvasek/go/pkg/mod/cache/download/github.com/kcp-dev/kubernetes/@v/v0.0.0-20250223141144-b901243fc922.mod
Warning: version mismatch: has github.com/go-openapi/[email protected], but v0.19.6 expected
Warning: version mismatch: has github.com/go-openapi/[email protected], but v0.20.2 expected
Warning: version mismatch: has github.com/go-openapi/[email protected], but v0.22.4 expected
Warning: version mismatch: has github.com/mailru/[email protected], but v0.7.7 expected
Warning: version mismatch: has github.com/stoewer/[email protected], but v1.2.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.24.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.17.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.26.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.7.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.21.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.21.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.16.0 expected
Warning: version mismatch: has golang.org/x/[email protected], but v0.21.1-0.20240508182429-e35e4ccd0d2d expected
Warning: version mismatch: has google.golang.org/[email protected], but v1.34.2 expected
Verifying dependency versions in /home/rvasek/go/pkg/mod/cache/download/github.com/kcp-dev/client-go/@v/v0.0.0-20250223133118-3dea338dc267.mod against /home/rvasek/go/pkg/mod/cache/download/github.com/kcp-dev/kubernetes/@v/v0.0.0-20250223141144-b901243fc922.mod
Verifying dependency versions in /home/rvasek/go/pkg/mod/cache/download/github.com/kcp-dev/apimachinery/v2/@v/v2.0.1-0.20250223115924-431177b024f3.mod against /home/rvasek/go/pkg/mod/cache/download/github.com/kcp-dev/kubernetes/@v/v0.0.0-20250223141144-b901243fc922.mod

Related issue(s)

Fixes #3306

Release Notes

NONE

[kcp-ci-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mjudeikis for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[embik]

I would honestly be open to fail the script if we have a drift, otherwise it's super easy to miss this and you need to know the script is doing it. WDYT?

[gman0]

We can, but this brings a need to keep a list of our go.mod files in specific order, and keep it up to date (though this would actually be nice now already). I'll explain.

At the moment, the order is semi-random depending a couple of factors, for example on my system it was like so (listing from the example output above):

1. kcp/cli,
2. kcp/docs/generators/cli-doc,
3. kcp/sdk,
4. and finally, kcp.

Assuming the script fails and exits after the first go.mod, the user would start with cleaning kcp/cli. But this module depends on kcp/sdk, and so it may happen that some changes in its dependencies will be reverted after running go mod tidy because kcp/sdk won't allow to fulfill them the way user wants.

If however kcp/sdk is fixed up first, deps in kcp/cli can be fixed up fine right after.

Things to do

So, if what's above makes sense, we'll need:

1. a hard-coded list of modules in kcp repo, ordered such that the arrows in the dependency tree would go in the correct direction (dep_a comes before dep_b if dep_b depends on dep_a)
2. have an assertion that checks the hard-coded list against the actual list of modules in the whole kcp repo, retrieved by find; so that new/removed mods are not missed.
3. optionally, send a PR that fixes the deps before we merge this one. The example output I've sent is from our current main branch, so we'd fail now. Alternatively, we do it in this PR. Let me know pls.

[embik]

I see, that sounds like a bigger challenge. I'd be okay with merging it as is.

[embik]

/retest

[gman0]

I actually did it over yesterday's evening, but we can iterate on this in another PR.