Should go.sum file be checked in to the git repository?
GoGo Problem Overview
I have a program with source code hosted on GitHub that uses Go Modules introduced in go 1.11.
go.mod
file describes my dependencies, but go.sum
file seems to be a lockfile. Should I be adding go.sum
to my repository or should I gitignore it?
Go Solutions
Solution 1 - Go
https://github.com/golang/go/wiki/Modules#releasing-modules-all-versions:
> Ensure your go.sum file is committed along with your go.mod file.
Solution 2 - Go
(Building on a previous answer.)
Yes, commit go.sum
.
> Ensure your go.sum
file is committed along with your go.mod
file. See FAQ below for more details and rationale.
From the FAQ:
> ### Should I commit my 'go.sum' file as well as my 'go.mod' file?
> Typically your module's go.sum
file should be committed along with
> your go.mod
file.
>
> - go.sum
contains the expected cryptographic checksums of the content of specific module versions.
> - If someone clones your repository and downloads your dependencies using the go command, they will receive an error if there is any
> mismatch between their downloaded copies of your dependencies and the
> corresponding entries in your go.sum
.
> - In addition, go mod verify
checks that the on-disk cached copies of module downloads still match the entries in go.sum
.
> - Note that go.sum
is not a lock file as used in some alternative dependency management systems. (go.mod
provides enough information
> for reproducible builds).
> - See very brief rationale here from
> Filippo Valsorda on why you should check in your go.sum
. See the
> "Module downloading and
> verification"
> section of the tip documentation for more details. See possible future
> extensions being discussed for example in
> #24117 and
> #25530.