How to prevent go get from updating go.mod file

Question

TL;DR: Is there any way I can forcefully prevent go get from altering the go.mod file?

When I do a go get of certain packages, e.g.:

$ go get github.com/AsynkronIT/protoactor-go/protobuf/protoc-gen-gograin

It will printout that it has updated dependencies (which are defined in my go.mod file):

go get: upgraded github.com/AsynkronIT/protoactor-go v0.0.0-20200815184336-b225d28383f2 => v0.0.0-20210405044454-10bc19881ad6
# (...) Note, this happens for other packages, not just `AsynkronIT/protoactor-go`.

This causes the go.mod file to change during a CI build, and affects subsequent build stages where, while building something, it’ll try to use an updated version of the dependency, which might introduce breaking changes, instead of the version defined on the go.mod file initially.

I’ve tried using -mod=readonly or making sure the -u flag is not used but it will still update the go.mod file, e.g.:

$ GOFLAGS=-mod=readonly go get github.com/AsynkronIT/protoactor-go/protobuf/protoc-gen-gograin

go get: upgraded github.com/AsynkronIT/protoactor-go v0.0.0-20200815184336-b225d28383f2 => v0.0.0-20210405044454-10bc19881ad6
# (...)

I've also tried finding similar issues, like this one, or this other one, but haven't yet find an alternative to prevent go get commands from altering the go.mod.

The current workaround I'm using to stop this behavior is to do a git checkout -- go.mod right after certain go get … steps to reset any changes done by go get, and hence, avoiding breaking changes with certain dependencies newer versions.

I'm using go version 1.16.3.

Answer 1

For Go 1.16 and after, you can use go install to install binaries without affecting go.mod

go install github.com/AsynkronIT/protoactor-go/protobuf/protoc-gen-gograin