Command to lock the Gomfile

Question

Command to lock the Gomfile

Closed this issue 10 years ago · 15 comments

It'd be great if there was a command to lock the Gomfile with gom lock so that it stores all the git commit ids in a lockfile or in the Gomfile.

Answer 1 · 2014-11-25T04:58:22.000Z

e4a5f06 implemented it.

Answer 2 · 2015-01-15T01:38:14.000Z

When you perform a gom lock a new file called Gomfile.lock is created. If this file exists, the regular Gomfile is ignored, am I right?

Answer 3 · 2015-01-15T02:24:47.000Z

yes, right.

Answer 4 · 2015-01-15T02:28:38.000Z

Why not just update the original Gomfile then?
As it is now, you end up with two files with same purpose, that is, defining package dependencies.

Answer 5 · 2015-01-15T02:41:10.000Z

Gomfile is not depend on OS. But Gomfile.lock is depend on your OS. similar to Gemfile.lock

Answer 6 · 2015-01-15T02:46:37.000Z

I'm not familiar with Gemfiles at all, but I can't see anything regarding my OS in this Gomfile.lock:

gom 'github.com/Sirupsen/logrus', :commit => '3c5b048a9d4a00d644cf9992762c26d4ca8493ac'
gom 'github.com/auth0/go-jwt-middleware', :commit => '4fb819167f530a087591cbb0b9c287b0d53a7627'
gom 'github.com/codegangsta/negroni', :commit => '1dd3ab0ff59e13f5b73dcbf70703710aebe50d2f'
gom 'github.com/dgrijalva/jwt-go', :commit => 'a3e2f13bb7a4cfef6824fab97be5a7df9b86eff2'
gom 'github.com/gorilla/context', :commit => '215affda49addc4c8ef7e2534915df2c8c35c6cd'
gom 'github.com/gorilla/mux', :commit => 'e444e69cbd2e2e3e0749a2f3c717cec491552bbf'
gom 'github.com/gotk/ctx', :commit => '1feaa34465f5416722fb03f644c4879d10e29ebc'
gom 'github.com/gotk/pg', :commit => '617e7cfe66fb82f12f5c3b0b4551c979ae1d78f5'
gom 'github.com/guregu/null', :commit => '68a803260b6b65e7c87c2a641aaa31b3c4f0d240'
gom 'github.com/joho/godotenv', :commit => 'ead2e75027bf1a3f6457e28d9eb3c2fa05109d2b'
gom 'github.com/lib/pq', :commit => '19eeca3e30d2577b1761db471ec130810e67f532'
gom 'github.com/lib/pq/oid'
gom 'github.com/nicksnyder/go-i18n/i18n'
gom 'github.com/nicksnyder/go-i18n/i18n/bundle'
gom 'github.com/nicksnyder/go-i18n/i18n/language'
gom 'github.com/nicksnyder/go-i18n/i18n/translation'

And this is the original Gomfile:

gom 'github.com/Sirupsen/logrus'
gom 'github.com/auth0/go-jwt-middleware'
gom 'github.com/codegangsta/negroni'
gom 'github.com/dgrijalva/jwt-go'
gom 'github.com/gorilla/context'
gom 'github.com/gorilla/mux'
gom 'github.com/gotk/ctx'
gom 'github.com/gotk/pg'
gom 'github.com/guregu/null'
gom 'github.com/joho/godotenv'
gom 'github.com/lib/pq'
gom 'github.com/lib/pq/oid'
gom 'github.com/nicksnyder/go-i18n/i18n'
gom 'github.com/nicksnyder/go-i18n/i18n/bundle'
gom 'github.com/nicksnyder/go-i18n/i18n/language'
gom 'github.com/nicksnyder/go-i18n/i18n/translation'

Am I missing some important concept to handle these files correctly?

Answer 7 · 2015-01-15T02:51:25.000Z

This is not just things for OS. it locks versions by current commit-ids of dependencies. For example, if you have below line on linux/OSX, it will be removed on Gemfile.lock because it's not needed.

gom 'github.com/mattn/go-ole', :goos => 'windows'

Answer 8 · 2015-01-15T02:58:05.000Z

Sorry, but think I did not understand the entire workflow with gom yet.

What would be the most basic workflow, supposing that I don't have any OS specific package, just like the sample Gomfile provided earlier?

BTW, what are considered best practices about the _vendor directory and version control systems? Should it be added to the repository or totally ignored?

I don't know if this helps, but I came from a Python and Java background.

Answer 9 · 2015-01-15T03:05:43.000Z

What would be the most basic workflow, supposing that I don't have any OS specific package, just like the sample Gomfile provided earlier?

When Gomfile.lock exists, gom checkout the commit-id of extra package. This is a way to avoid unstable behavior of extra package.
So if you want, you can replace Gomfile.lock to Gomfile. Or you can put Gomfile.lock on repository.

BTW, what are considered best practices about the _vendor directory and version control systems? Should it be added to the repository or totally ignored?

If you want to stick versions of extra package, you've better to put _vendor directory on your repo.

Answer 10 · 2015-01-15T03:08:35.000Z

However when do gom install, gom checkout dependency with specific commit-id into vendor directory.

Answer 11 · 2015-01-15T03:29:00.000Z

If you want to stick versions of extra package, you've better to put _vendor directory on your repo.

I think I found an issue when I added the _vendor directory into the git repository. Let me try to explain the scenario:

The gom install command seems to perform a git clone of the repositories of the packages into the _vendor directory.

After that, when I git add _vendor, the files of these cloned repos are not added to my original repo, for instance:

On branch master
Your branch is up-to-date with 'origin/master'.
Changes to be committed:
  (use "git reset HEAD <file>..." to unstage)

    new file:   _vendor/src/github.com/Sirupsen/logrus
    new file:   _vendor/src/github.com/auth0/go-jwt-middleware
    new file:   _vendor/src/github.com/codegangsta/negroni
    new file:   _vendor/src/github.com/dgrijalva/jwt-go
    new file:   _vendor/src/github.com/gorilla/context
    new file:   _vendor/src/github.com/gorilla/mux
    new file:   _vendor/src/github.com/gotk/ctx
    new file:   _vendor/src/github.com/gotk/pg
    new file:   _vendor/src/github.com/guregu/null
    new file:   _vendor/src/github.com/joho/godotenv
    new file:   _vendor/src/github.com/lib/pq
    new file:   _vendor/src/github.com/nicksnyder/go-i18n

And I suppose that happens because those directories has their own .git directory (submodule, maybe?)

So, if I commit these changes, the files of the packages under _vendor will not be added, making the whole idea of a _vendor directory useless.

Hope this makes sense, if not let me know and I'll try to explain it better.

Answer 12 · 2015-01-15T03:32:15.000Z

And I suppose that happens because those directories has their own .git directory (submodule, maybe?)

Ah, Sorry you are right. I didn't still do this.
As i said in above, user must do gom install themselfs.

Answer 13 · 2015-01-15T04:04:43.000Z

As I believe the main purpose of tools like gom or godep is to provide a way to reproduce a build at any time, even if a dependency is not available to clone anymore, I was hoping that gom install would be able to "automagically" download the specific versions of each package listed in my Gomfile into the _vendor directory, so I could have a reliable "backup" of the dependencies added to my original repo.

Note that I mentioned "download" instead of "clone", in order to avoid the issue with submodules explained earlier. Maybe performing a git clone followed by rm -rf .git for each cloned repo could be a workaround for this "download only" feature.

Answer 14 · 2015-01-15T06:35:11.000Z

So workflow should be like below.

Don't put _vendor into repo
You can copy Gomfile.lock to Gomfile.

Answer 15 · 2015-01-15T12:39:02.000Z

But if I don't put the _vendor into my repo and a dependency has its repo deleted or reseted (git push --force) how could I reproduce my build?

I may be asking for something outside the original scope of gom, so I think I should manage this workflow by my own.

Nonetheless, your project is great and gave me really good ideas to deal with dependencies on the Go land. Keep it up. :-)