microsoft
diff --git a/‎patches/0005-Disable-GOTOOLCHAIN-support.patch
Lines changed: 71 additions & 0 deletions b/‎patches/0005-Disable-GOTOOLCHAIN-support.patch
Lines changed: 71 additions & 0 deletions
diff --git a/‎patches/0005-Update-default-go.env.patch
Lines changed: 0 additions & 24 deletions b/‎patches/0005-Update-default-go.env.patch
Lines changed: 0 additions & 24 deletions
@@ -0,0 +1,71 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: qmuntal <[email protected]>
+Date: Thu, 8 Jun 2023 14:17:13 +0200
+Subject: [PATCH] Disable GOTOOLCHAIN support
+
+The GOTOOLCHAIN feature can potentially make a Go invocation switch
+to a non-Microsoft toolchain. To avoid it, change the GOTOOLCHAIN
+default value from "auto" to "local" and instruct the Go toolchain
+to panic if the user manually modifies the GOTOOLCHAIN variable.
+---
+ go.env                         |  6 ++++--
+ src/cmd/go/internal/cfg/cfg.go | 18 ++++++++++++++++++
+ src/cmd/go/script_test.go      |  1 +
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/go.env b/go.env
+index 6ff2b921d464bc..36c3bdfc9b6087 100644
+--- a/go.env
++++ b/go.env
+@@ -7,6 +7,8 @@
+ GOPROXY=https://proxy.golang.org,direct
+ GOSUMDB=sum.golang.org
+ 
+-# Automatically download newer toolchains as directed by go.mod files.
++# Use the locally installed Go toolchain, never downloading a different one.
++# Upstream uses `GOTOOLCHAIN=auto` instead, but `auto` can download and switch
++# to a Go toolchain not built by Microsoft, and we want to avoid that.
+ # See https://go.dev/doc/toolchain for details.
+-GOTOOLCHAIN=auto
++GOTOOLCHAIN=local
+diff --git a/src/cmd/go/internal/cfg/cfg.go b/src/cmd/go/internal/cfg/cfg.go
+index 3b9f27e91d517e..3084f681499c2c 100644
+--- a/src/cmd/go/internal/cfg/cfg.go
++++ b/src/cmd/go/internal/cfg/cfg.go
+@@ -401,6 +401,24 @@ func Getenv(key string) string {
+ 	}
+ 	val := os.Getenv(key)
+ 	if val != "" {
++		if key == "GOTOOLCHAIN" && val != "local" {
++			// Don't allow GOTOOLCHAIN to be set to anything but "local".
++			// That could cause the go command to use a different toolchain
++			// than the Microsoft build of Go without warning. This can be
++			// difficult to diagnose and may silently cause the user to
++			// unintentionally build a program that violates Microsoft's
++			// internal policies for Go.
++			//
++			// We allow bypassing this safety feature. We need to while running
++			// the TestScript test from the cmd/go package, else many tests will fail.
++			// It's also possible for existing workflows to intentionally depend on this behavior.
++			if v := os.Getenv("MS_GOTOOLCHAIN_ALLOW_NON_LOCAL"); v != "1" {
++				println("GOTOOLCHAIN is set to \"" + val + "\" but only \"local\" is allowed.")
++				println("To allow this, set MS_GOTOOLCHAIN_ALLOW_NON_LOCAL=1 in your environment.")
++				print("Take into account that that could cause the go command to use a different toolchain than the Microsoft build of Go.")
++				os.Exit(1)
++			}
++		}
+ 		return val
+ 	}
+ 	envCache.once.Do(initEnvCache)
+diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go
+index 0576ea8add72af..1345ea8bb8e530 100644
+--- a/src/cmd/go/script_test.go
++++ b/src/cmd/go/script_test.go
+@@ -253,6 +253,7 @@ func scriptEnv(srv *vcstest.Server, srvCertFile string) ([]string, error) {
+ 		"CMDGO_TEST_RUN_MAIN=true",
+ 		"HGRCPATH=",
+ 		"GOTOOLCHAIN=auto",
++		"MS_GOTOOLCHAIN_ALLOW_NON_LOCAL=1", // allow non-local toolchains, some tests expect GOTOOLCHAIN to be honored
+ 		"newline=\n",
+ 	}
+