Mk/Uses/go.mk: Be more lenient about vendoring

Add flag to `go mod vendor` instructing it to proceed despite errors encountered while loading packages. This will allow build to continue (with warnings) when e.g. upstream ships outdated go.sum with missing checksums for some packages. Invalid checksums are still security errors [1]. While here, add additional module cache revalidation after fetching dependencies. [1] https://go.dev/ref/mod#authenticating
2025-07-18 01:39:16 -04:00 · 2022-05-05 06:12:44 -05:00 · 2022-05-05 06:12:44 -05:00 · 4e29133174
commit 4e29133174
parent d2ed2b98e2
1 changed files with 3 additions and 2 deletions
--- a/Mk/Uses/go.mk
+++ b/Mk/Uses/go.mk
@ -162,7 +162,8 @@ post-fetch:
 	@${ECHO_MSG} "===> Fetching ${GO_MODNAME} dependencies";
 	@(cd ${DISTDIR}/${DIST_SUBDIR}; \
 		[ -e go.mod ] || ${RLN} ${GO_MODFILE} go.mod; \
-		${SETENV} ${GO_ENV} GOPROXY=${GO_GOPROXY} ${GO_CMD} mod download -x)
+		${SETENV} ${GO_ENV} GOPROXY=${GO_GOPROXY} ${GO_CMD} mod download -x; \
+		${SETENV} ${GO_ENV} GOPROXY=${GO_GOPROXY} ${GO_CMD} mod verify)
 .  endif

 .  if !target(post-extract)
@ -172,7 +173,7 @@ post-extract:
 	@${LN} -sf ${WRKSRC} ${GO_WRKSRC}
 .    elif ${go_ARGS:Mmodules} && defined(GO_MODULE)
 post-extract:
-	@(cd ${GO_WRKSRC}; ${SETENV} ${GO_ENV} GOPROXY=off ${GO_CMD} mod vendor)
+	@(cd ${GO_WRKSRC}; ${SETENV} ${GO_ENV} GOPROXY=off ${GO_CMD} mod vendor -e)
 .    endif 
 .  endif