main branch building tools on-the-fly can fail lint for non-hermetic staticcheck build #1055
Description
The staticcheck that is installed as part of the GNUmakefile build target lint compiles a staticcheck from source in a non-hermetic manner. A binary install of staticcheck-2025.1, or even 2025.1.1, would be more predictable:
Allans-MBP2025:~ allanc$ cd ~/src
Allans-MBP2025:src allanc$ git clone [email protected]:chickenandpork/nomad-autoscaler.git has
Cloning into 'has'...
remote: Enumerating objects: 9705, done.
remote: Counting objects: 100% (547/547), done.
remote: Compressing objects: 100% (287/287), done.
remote: Total 9705 (delta 518), reused 264 (delta 260), pack-reused 9158 (from 3)
Receiving objects: 100% (9705/9705), 4.65 MiB | 4.67 MiB/s, done.
Resolving deltas: 100% (5631/5631), done.
Allans-MBP2025:src allanc$ cd ~/src/has
Allans-MBP2025:has allanc$ git log -n 1
commit b5ed40e3cea4a3a8e73dceb3966245589257672a (HEAD -> main, origin/main, origin/HEAD)
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu Mar 13 08:46:43 2025 +0000
build(deps): bump golang.org/x/net from 0.35.0 to 0.36.0 (#1053)
Co-authored-by: James Rasell <[email protected]>
Allans-MBP2025:has allanc$ staticcheck -version
-bash: staticcheck: command not found
Allans-MBP2025:has allanc$ make lint
==> Installing lint tools...
go install github.com/golangci/golangci-lint/cmd/[email protected]
go install honnef.co/go/tools/cmd/[email protected]
go install github.com/hashicorp/go-hclog/hclogvet@feaf6d2ec20fd895e711195c99e3fde93a68afc5
go install github.com/hashicorp/hcl/v2/cmd/hclfmt@d0c4fa8b0bbc2e4eeccd1ed2a32c2089ed8c5cf1
==> Done
==> Installing code generate tools...
go install github.com/bufbuild/buf/cmd/[email protected]
go install github.com/golang/protobuf/[email protected]
go: module github.com/golang/protobuf is deprecated: Use the "google.golang.org/protobuf" module instead.
==> Done
--> Formatting HCL
==> Linting source code...
-: module requires at least go1.23.5, but Staticcheck was built with go1.23.4 (compile)
make: *** [lint] Error 1
I'd note that even the main branch of go-tools, which hosts staticcheck, sets go 1.23
Anyone who runs into this themselves has two options:
- if you can -- without altering the non-hermetic build env for other projects -- update your local go toolchain >= 1.23.5 (I mean, why are you so far behind? :) cuz reasons... )
- grab the binary of staticcheck from the provider (https://github.com/dominikh/go-tools/releases/tag/2025.1.1 ) and put that in a place on your
${PATH}that's earlier than your${GOPATH}/bin(some shells necessitate reopening the shell to clear the cached path resolutions)
If these workarounds are acceptable, feel free to close this issue as simply mitigation docs for anyone else who hits it.