Return a go-get document when the request is unauthenticated
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA
Related:
During the rollout of !156860 (merged), @vyaklushin identified users that were affected by the change. Despite the new behaviour being more "correct", @vyaklushin believes we should accomodate existing configurations and has proposed that we trigger the new behaviour more selectively.
This MR now restores some of the old behaviour in order to maintain backwards compatibility for users who have not set up authentication for their go toolchain. When credentials are not present, we always respond with the go meta tags as if a project with a two-segment path exists (e.g. namespace/project), whether it really exists or not.
If any credentials are present (valid or not), we use it as a signal that authentication has been set up, and that we can correctly return 404s when the project does not exist or we do not have access to it.
Returning the go meta tags for the two segment path means we also need to return a branch name in the go-source meta tag. The original implementation simply hard-coded master, which is not correct for repos using a different default branch name like main.
Correcting this properly may have meant removing it altogether as it may be considered an information leak. However looking into this further, it became clear that the go-source metatag is completely redundant and not needed in any circumstance. The go-source metatag was historically used for godoc.org, which is no longer running. Russ Cox (the Go project lead) explicitly states this
The go-source line was defined by godoc.org before modules existed, and it provided a template to link to a specific line of a specific file in a go-get-able package. Later, the Go project adopted godoc.org and its code base but then we archived it once its replacement, pkg.go.dev, was ready. Nothing we have initiated or maintain today uses the go-source tags. In particular, neither the Go toolchain nor pkg.go.dev uses them.
So, the go-source meta tag has been completely removed from the response. I was considering creating a different MR to make the removal, however I felt that including this change as part of the rollout was much more appropriate, as this is changed behaviour closely related with the original change.