What would you like to be added?

After discussing this in last week's community meeting and based on feedback from the Go team (golang/go#68254) due to the vulnerability (GHSA-5x4g-q5rc-36jp / golang/vulndb#2952), there are several benefits to introducing a Go workspace in the project, and one of the biggest motivations is to simplify the test scripts.

I have a branch with the go.workspace (diff). It requires changes in the build scripts and the test libraries. It still doesn't work, but there's some progress.

I mostly based it on how kubernetes/kubernetes defines the Go workspace. However, from golang/go#68254 and the motivation to have govulncheck spot vulnerabilities within our modules, their suggestion is to remove replaces pointing to local code in go.mods, but k/k still has these replaces.

I wanted to open up the discussion to get feedback and/or implementation ideas.

Progress track

• Workspace activation: Minimal changes to enable a Go workspace #19423
• verify targets
  • lint: Use go workspace for golangci lint #20788
  • gofmt: Remove gofmt verify target #20814
  • bom: Update bom to use Go workspace #20829
  • dep: Update verify-dep to use workspace helpers #20848
  • shellcheck
  • goword: Replace goword with golangci-lint misspell #20815
    • We can remove go_srcs_in_module after merging Replace goword with golangci-lint misspell #20815 and Update verify license header to use Go workspace #20812
  • govet: Move govet to golangci lint #20810
  • license-header: Update verify license header to use Go workspace #20812 / Replace addlicense with golanci lint goheader #20818
  • mod-tidy: Update mod tidy check to not use old module system #20828
  • shellws
  • proto-annotations
  • genproto
  • yamllint
  • govet-shadow: Move govet to golangci lint #20810
  • markdown-marker
  • go-versions: Somewhat blocked by cmd/go: work edit -json doesn't include the toolchain golang/go#75941
  • gomodguard: Update gomodguard to use workspace modules #20849
• fix targets
  • bom: Update bom to use Go workspace #20829
  • lint: Use go workspace for golangci lint #20788
  • yamllint: Update fix-yamllint Makefile target to use common helpers #20850 / Update fix-yamllint Makefile target to use stand-alone script #20857
  • sync-toolchain-directive
  • scripts/fix.sh
    • mod-tidy: Move go mod tidy to a test.sh pass, update it to use the Go workspace #20851
    • go fmt: Don't manually run go fmt #20858
    • bashws: Move fix-bashws to its own script #20860
• test targets
  • unit: Migrate unit tests to use Go workspace #20872
• build targets

Why is this needed?

To improve the code quality and to spot vulnerabilities in our code firsthand.