Cosign targets Go 1.21, but uses 1.22 only dependency `github.com/buildkite/agent/v3@v3.65.0`
Closed this issue · 3 comments
Description
Cosign declares itself to be buildable with Go 1.21:
Line 3 in 5d60a9a
However, it refers to a dependency github.com/buildkite/agent/v3@v3.65.0, which is Go 1.22 only.
This causes problems for any package that imports Cosign, as you may see build errors, when running on Go 1.21.
My IDE fails with this command:
$ go list -json -m -u -mod=readonly all
go: loading module retractions for github.com/buildkite/agent/v3@v3.62.0: module github.com/buildkite/agent/v3@v3.66.0 requires go >= 1.22 (running go 1.21.4)
You could see the referral with:
$ go mod graph | grep github.com/buildkite/agent/v3
github.com/sigstore/cosign/v2@v2.2.3 github.com/buildkite/agent/v3@v3.62.0
Version
I'm using the latest released package: github.com/sigstore/cosign/v2@v2.2.3
Sorry, for the noise. This clearly must be some problem on my side, as cosign clearly declares dependency to github.com/buildkite/agent/v3@v3.62.0, not github.com/buildkite/agent/v3@v3.65.0
Line 9 in 493e6e2
I'm getting the same error. Trying to build cosign 2.2.3 on Go 1.20. Do I need to upgrade to Go 1.21?
12:45:35 /go/pkg/mod/github.com/buildkite/agent/v3@v3.62.0/api/retryable.go:8:2: package slices is not in GOROOT (/usr/local/go/src/slices)
EDIT: Ah, I see this now.
12:45:35 note: imported by a module that requires go 1.21
1.21 is required, but we haven't moved to 1.22 yet.