Should go.sum file be checked in to the git repository?
I have a program with source code hosted on GitHub that uses Go Modules introduced in go 1.11.
go.mod file describes my dependencies, but go.sum file seems to be a lockfile. Should I be adding go.sum to my repository or should I gitignore it?
Solution 1:
https://github.com/golang/go/wiki/Modules#releasing-modules-all-versions:
Ensure your go.sum file is committed along with your go.mod file.
Solution 2:
(Building on a previous answer.)
Yes, commit go.sum.
Ensure your
go.sumfile is committed along with yourgo.modfile. See FAQ below for more details and rationale.
From the FAQ:
Should I commit my 'go.sum' file as well as my 'go.mod' file?
Typically your module's
go.sumfile should be committed along with yourgo.modfile.
go.sumcontains the expected cryptographic checksums of the content of specific module versions.- If someone clones your repository and downloads your dependencies using the go command, they will receive an error if there is any mismatch between their downloaded copies of your dependencies and the corresponding entries in your
go.sum.- In addition,
go mod verifychecks that the on-disk cached copies of module downloads still match the entries ingo.sum.- Note that
go.sumis not a lock file as used in some alternative dependency management systems. (go.modprovides enough information for reproducible builds).- See very brief rationale here from Filippo Valsorda on why you should check in your
go.sum. See the "Module downloading and verification" section of the tip documentation for more details. See possible future extensions being discussed for example in #24117 and #25530.