From d3cf2434f029a15b6ed48c4a1f3204c6ea462af3 Mon Sep 17 00:00:00 2001
From: Matt Dale <9760375+matthewdale@users.noreply.github.com>
Date: Fri, 1 Jul 2022 12:40:51 -0700
Subject: [PATCH] Confirm that modules are always tidy and vendored. (#1003)

---
 .evergreen/config.yml |  7 +++++++
 Makefile              | 16 +++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/.evergreen/config.yml b/.evergreen/config.yml
index 462ac71b6f..d3d4cfd1dd 100644
--- a/.evergreen/config.yml
+++ b/.evergreen/config.yml
@@ -1068,6 +1068,13 @@ tasks:
         vars:
           targets: check-fmt
 
+  - name: sa-modules
+    tags: ["static-analysis"]
+    commands:
+      - func: run-make
+        vars:
+          targets: check-modules
+
   - name: sa-lint
     tags: ["static-analysis"]
     commands:
diff --git a/Makefile b/Makefile
index 1e123b0da5..1617fa75da 100644
--- a/Makefile
+++ b/Makefile
@@ -13,7 +13,7 @@ TEST_TIMEOUT = 1800
 
 ### Utility targets. ###
 .PHONY: default
-default: add-license build build-examples check-env check-fmt lint test-short
+default: add-license build build-examples check-env check-fmt check-modules lint test-short
 
 .PHONY: add-license
 add-license:
@@ -49,6 +49,20 @@ build-tests:
 check-fmt:
 	etc/check_fmt.sh $(PKGS)
 
+# check-modules runs "go mod tidy" then "go mod vendor" and exits with a non-zero exit code if there
+# are any module or vendored modules changes. The intent is to confirm two properties:
+#
+# 1. Exactly the required modules are declared as dependencies. We should always be able to run
+# "go mod tidy" and expect that no unrelated changes are made to the "go.mod" file.
+#
+# 2. All required modules are copied into the vendor/ directory and are an exact copy of the
+# original module source code (i.e. the vendored modules are not modified from their original code).
+.PHONY: check-modules
+check-modules:
+	go mod tidy -v
+	go mod vendor
+	git diff --exit-code go.mod go.sum ./vendor
+
 .PHONY: doc
 doc:
 	godoc -http=:6060 -index