Introduce a Go workspace

[ivanvc]

What would you like to be added?

After discussing this in last week's community meeting and based on feedback from the Go team (golang/go#68254) due to the vulnerability (GHSA-5x4g-q5rc-36jp / golang/vulndb#2952), there are several benefits to introducing a Go workspace in the project, and one of the biggest motivations is to simplify the test scripts.

I have a branch with the go.workspace (diff). It requires changes in the build scripts and the test libraries. It still doesn't work, but there's some progress.

I mostly based it on how kubernetes/kubernetes defines the Go workspace. However, from golang/go#68254 and the motivation to have govulncheck spot vulnerabilities within our modules, their suggestion is to remove replaces pointing to local code in go.mods, but k/k still has these replaces.

I wanted to open up the discussion to get feedback and/or implementation ideas.

Why is this needed?

To improve the code quality and to spot vulnerabilities in our code firsthand.

[ahrtr]

High level I support this. I raised this about 3 years ago #13478, but go workspace wasn't widely used at that time. It should good timing now.

[ivanvc]

This was discussed during the community meeting. I'll draft a document to discuss options for implementing this change.

[ivanvc]

I'm sorry it took me a very long time to draft the previously mentioned document. Here's the draft: https://docs.google.com/document/d/1Vpb0SosYT05YsBsgfJFzOAbSgitd1BcFOQzjEARaQyM. @ahrtr, PTAL and let me know your thoughts.

[ahrtr]

Based on the discussion in our yesterday's community meeting, we can create a separate branch (i.e workspace) for the go workspace change, the rough steps are,

• disable dependabot, so that we won't update the go.mod and go.sum files during the development of the feature on main branch.
• freeze the change on scripts on main branch. (Please anyone chime in if you have any related PR that you want to get merged before this point)
• create a new dev branch (i.e workspace)
• multiple contributors work on the feature until it's done and all workflows are green. (hopefully it won't take too long, i.e < 8 weeks)
• merge the branch back to main
• un-freeeze the script change on main
• recover the dependabot.

cc @ivanvc @jmhbnz @serathius

[jmhbnz]

Based on the discussion in our yesterday's community meeting, we can create a separate branch (i.e workspace) for the go workspace change

I have some etcd meeting videos to edit and upload from last couple weeks, will watch recording then comment but at face value it seems reasonable provided everyone is on board.

[ivanvc]

I'll start by breaking this up into smaller tasks. After that, I'll try to recruit some people to help. Then, we'll be able to proceed with the branch and pause dependabot.