From 2c95f73ca7dd711f7ee0fc6784ffd02ac06bb762 Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Tue, 28 Oct 2025 15:26:46 -0400
Subject: [PATCH] [VAULT-40166] go: check go.mod drift on changes to
 ce/branches

When a pull request is created against a CE branch and it has changed any files in the `gotoolchain` group we'll automatically trigger the diff for every Go module file in the repo against the equivalent in the corresponding enterprise branch. If there's a delta in like configuration it will automatically fail the `build/ce-checks` job. It will also write a complete explanation of the diff to the step output and also to the `build/ce-checks` job step summary.

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
---
 .github/workflows/build.yml | 90 +++++++++++++++++++++++++++++++++++++
 go.mod                      |  4 +-
 2 files changed, 92 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c8b2f885cb..ab537b9b29 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -148,6 +148,7 @@ jobs:
           startsWith(github.event.pull_request.base.ref, 'ce/') &&
           contains(fromJSON(steps.changed-files.outputs.changed-files).groups, 'enterprise')
         name: Ensure that we have not changed any enterprise files on pull requests against ce/* branches.
+        id: ce-ent-changed-file-check
         run: |
           echo "The pull request has changed files that are in enterprise groups!"
           echo "If you believe this to be in error you will want to update the changed files checks in tools/pipeline/internal/pkg/changed"
@@ -172,6 +173,95 @@ jobs:
           # subsequent workflows are run.
           no-restore: true
 
+  ce-code-checks:
+    # Checks that we want to run only on changes to ce/* branches that ought to pass but aren't
+    # required for the "completed-successfully" job to pass. This allows us to bubble up this
+    # information without gating merges, which can be useful if you have many PRs simultaneously
+    # modifying go.mod before CE PRs with the equivalent changes have been merged.
+    name: Check ce/* Pull Requests
+    if: |
+      needs.setup.outputs.is-ent-repo == 'true' &&
+      needs.setup.outputs.workflow-trigger == 'pull_request' &&
+      github.event.pull_request.draft == false &&
+      startsWith(github.event.pull_request.base.ref, 'ce/')
+    runs-on:
+      - self-hosted
+      - ubuntu-latest-x64
+    permissions: write-all # vault-auth
+    needs:
+      - setup
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      # Get the elevated github token
+      - id: vault-auth
+        name: Vault Authenticate
+        run: vault-auth
+      - id: vault-secrets
+        name: Fetch Vault Secrets
+        uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
+        with:
+          url: ${{ steps.vault-auth.outputs.addr }}
+          caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
+          token: ${{ steps.vault-auth.outputs.token }}
+          secrets: |
+            kv/data/github/${{ github.repository }}/github-token token | ELEVATED_GITHUB_TOKEN;
+      - id: set-up-pipeline
+        uses: ./.github/actions/set-up-pipeline
+        with:
+          github-token: ${{ steps.vault-secrets.outputs.ELEVATED_GITHUB_TOKEN }}
+      # Ensure that our go.mod files have not drifted if we've changed the Go toolchain on a CE PR
+      - if: |
+          needs.setup.outputs.is-ent-repo == 'true' &&
+          needs.setup.outputs.workflow-trigger == 'pull_request' &&
+          startsWith(github.event.pull_request.base.ref, 'ce/') &&
+          contains(fromJSON(needs.setup.outputs.changed-files).groups, 'gotoolchain')
+        name: Check go.mod diff on pull requests against ce/* branches that changed the go toolchain
+        id: go-mod-diff
+        env:
+          GITHUB_TOKEN: ${{ steps.vault-secrets.outputs.ELEVATED_GITHUB_TOKEN }}
+          # Pass these in as env variables.
+          # See: https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
+        run: |
+          # Check the deltas between all relevant go.mod files between the PR HEAD ref and the
+          # Enterprise equivalent base ref. We disable 'strict-require' because enterprise and CE
+          # are allowed to have different modules. We still enforce that like modules between
+          # branches share the same versions. Similarly, 'strict-replace' is also disabled to allow
+          # both modules to have different 'replace' directives but still compare like 'replace'
+          # directives that are shared. This allows enterprise to use enterprise plugin 'replace'
+          # directives and not fail this check. We also have this run in a non-failing job to handle
+          # cases where multiple PRs are changing go.mod in enteprise an CE.
+
+          # Strip the ce/ prefix off of the PR base ref
+          ent_base_ref="${BASE_REF#ce/}"
+          if [[ "$ent_base_ref" != "main" ]]; then
+            # If it's not main add the +ent suffix
+            ent_base_ref="${ent_base_ref}+ent"
+          fi
+          echo "A branch: $ent_base_ref"
+          echo "B branch: $HEAD_REF"
+          pipeline github check go-mod-diff ${{ runner.debug && '--log debug' }} \
+            --a-repo vault-enterprise \
+            --a-branch "$ent_base_ref" \
+            --b-repo vault-enterprise \
+            --b-branch "$HEAD_REF" \
+              --strict-replace=false \
+              --strict-require=false \
+                -p go.mod \
+                -p api/go.mod \
+                -p api/auth/approle/go.mod \
+                -p api/auth/aws/go.mod \
+                -p api/auth/azure/go.mod \
+                -p api/auth/cert/go.mod \
+                -p api/auth/gcp/go.mod \
+                -p api/auth/kubernetes/go.mod \
+                -p api/auth/ldap/go.mod \
+                -p api/auth/userpass/go.mod \
+                -p tools/pipeline/go.mod \
+                -p sdk/go.mod \
+                --format markdown | tee -a "$GITHUB_STEP_SUMMARY"
+
   ui:
     # The Web UI workflow is a prerequisite workflow for building our artifacts. If the application
     # or UI change we'll trigger this workflow but only build it if we don't already have the asset
diff --git a/go.mod b/go.mod
index 65d3630d76..719d8162a1 100644
--- a/go.mod
+++ b/go.mod
@@ -29,6 +29,8 @@ replace github.com/hashicorp/vault/sdk => ./sdk
 // See https://github.com/99designs/keyring/issues/103 and https://github.com/snowflakedb/gosnowflake/issues/1183
 replace github.com/99designs/keyring => github.com/Jeffail/keyring v1.2.3
 
+replace github.com/ma314smith/signedxml v1.1.1 => github.com/moov-io/signedxml v1.1.1
+
 require (
 	cloud.google.com/go/cloudsqlconn v1.4.3
 	cloud.google.com/go/monitoring v1.24.2
@@ -578,5 +580,3 @@ require (
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
-
-replace github.com/ma314smith/signedxml v1.1.1 => github.com/moov-io/signedxml v1.1.1