feat(diff): TreeLoadOptions — configurable GOPROXY and module name hint#24
Merged
Conversation
…name hint Adds FingerprintTreeWithOptions and TreeLoadOptions so callers can override GOPROXY (e.g. to allow downloading missing dependencies from a proxy) and supply a real module name hint for pre-modules-era trees. The secure default (GOPROXY=off) is unchanged for FingerprintTree and FingerprintTreeAdvanced — existing callers are unaffected. - TreeLoadOptions.Proxy: overrides GOPROXY while keeping all other hardening (CGO_ENABLED=0, GOFLAGS=-mod=readonly, GOWORK=off, etc.) - TreeLoadOptions.ModuleNameHint: replaces "synthetic.local/anonymous" in the overlay go.mod so pre-module imports resolve correctly - hardenedEnvWithProxy: shared env builder used by both the zero-opts path and the options path (eliminates duplication with GetHardenedEnv) - FingerprintTree/FingerprintTreeAdvanced: refactored onto the shared fingerprintTreeInternal path; behaviour is identical to before Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
FingerprintTreeWithOptionsandTreeLoadOptionstopkg/diff/fingerprinter.goTreeLoadOptions.Proxy: overridesGOPROXYwhile keeping all other hardening intact (zero value keeps the secure"off"default — no behaviour change for existing callers)TreeLoadOptions.ModuleNameHint: replacessynthetic.local/anonymousin the overlay go.mod for pre-modules-era trees, allowing same-module sub-package imports to resolve correctlyhardenedEnvWithProxy: shared env builder eliminating duplication withGetHardenedEnvFingerprintTreeandFingerprintTreeAdvancedrefactored onto the new sharedfingerprintTreeInternalpath — identical behaviourMotivation
The bench harness for the commercial pilot needs to analyse arbitrary open-source commits, including ones from repos whose module dependencies are not yet in GOMODCACHE. Without a way to configure
GOPROXY, 26/28 parse failures in the pilot corpus are stuck atbroken-dependency/other-package-load-error(module lookup disabled byGOPROXY=off). The product's CI scanning use case correctly usesGOPROXY=off; this adds the escape hatch for callers that have already decided network access is safe.Test plan
go test ./pkg/diff/...passesFingerprintTree/FingerprintTreeAdvancedcallfingerprintTreeInternalwith zero opts — output identical to beforeFingerprintTreeWithOptionswithProxy: "https://proxy.golang.org,direct"resolves deps not yet in GOMODCACHETreeLoadOptions{}(zero value) behaves identically toFingerprintTree🤖 Generated with Claude Code