Hello, we are having a bit of an issue with go get with our own repository.
Context:
We are using two packages that we have hosted in our GitLab. Both packages are in different repositories, although they share the same domain.
- Module 1 is at
gitlab.mycompany.com/groupA/module1 - Module 2 is at
gitlab.mycompany.com/groupB/module2
Then, we have a go.mod file that requires both of them, like this.
module gitlab.mycompany.com/mymodule
go 1.20
require (
gitlab.mycompany.com/groupA/module1 v0.0.0
gitlab.mycompany.com/groupB/module2 v0.0.0
)
Each repository has a GitLab Deploy Token which grants read access to the code (so it can be cloned). In order for go get to use them, we are using the .netrc as explained here.
This works fine for a single repo/package. In the .netrc you add the user and token for the domain gitlab.mycompany.com, and go get can download the package.
Problem:
This works fine for a single package. However, when doing go mod tidy, you have to download both packages as specified in the go.mod (when they are not cached). The problem is that for private repos, go get will look for the domain in the .netrc, however, we have two modules with the same domain but different user and token. Therefore, go mod tidy fails, because it doesn’t know what user/token to use for each package, as it just considers the domain.
.netrc:
machine gitlab.mycompany.com login module1_user password module1_token
machine gitlab.mycompany.com login module2_user password module2_token
Both module1 and module2 are at gitlab.mycompany.com but in different repos there.
Right now, the only way we were able to workaround this, was: by setting user1/token1 in the .netrc, then doing a go get for module1. Then, overriding for user2/token2 and go get for module2. This saves the packages in the cache and doesn’t need to be downloaded by the go mod tidy.
This approach is not ideal, as the go mod tidy cannot be done directly, you need to do the other steps first. It not only adds complexity, but it is also less secure as the user/tokens have to be outside the .netrc.
Question: Is there any way of avoiding this behavior, and telling go mod tidy/go get which user/token to use per package instead of domain?