cmd/go: ensure go.mod and go.sum are consistent after `go get -tool`

The issue was that `go get -tool` could trigger module upgrades (due to
the tool's own requirements) that were not correctly captured by the
final consistency check in `checkPackageProblems`. This happened because
`updateTools` was being called after `checkPackageProblems`, and even if
moved earlier, it failed to update the resolver's internal build list
representation. This left some incidentally upgraded modules (like
github.com/go-logr/logr in the gonzo module) without their corresponding
zip sums in go.sum, causing subsequent builds to fail.

The fix involves:
  1. Moving the updateTools call before checkPackageProblems in runGet.
  2. Ensuring the resolver's buildList and buildListVersion are
explicitly refreshed from the updated module graph after updateTools is
called.

This ensures that checkPackageProblems correctly identifies all modules
that were upgraded during the `go get -tool` operation and fetches the
necessary checksums, maintaining module consistency.

A test and associated necessary vcs-test configuration are added to
prevent regressions in the future.

Fixes #74691.

Change-Id: I1a7e22a35132bcbee2ceac1ff7fc190666db965b
Reviewed-on: https://go-review.googlesource.com/c/go/+/738660
Reviewed-by: Michael Matloob <matloob@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Matloob <matloob@golang.org>

7 files changed, 134 insertions, 5 deletions

diff --git a/src/cmd/go/internal/modget/get.go b/src/cmd/go/internal/modget/get.go
index 0b0db14f6f..10dde2f56c 100644
--- a/src/cmd/go/internal/modget/get.go
+++ b/src/cmd/go/internal/modget/get.go
@@ -402,14 +402,14 @@ func runGet(ctx context.Context, cmd *base.Command, args []string) {
 		}
 	}
 
+	if *getTool {
+		updateTools(moduleLoaderState, ctx, r, queries, &opts)
+	}
+
 	// If a workspace applies, checkPackageProblems will switch to the workspace
 	// using modload.EnterWorkspace when doing the final load, and then switch back.
 	r.checkPackageProblems(moduleLoaderState, ctx, pkgPatterns)
 
-	if *getTool {
-		updateTools(moduleLoaderState, ctx, queries, &opts)
-	}
-
 	// Everything succeeded. Update go.mod.
 	oldReqs := reqsFromGoMod(modload.ModFile(moduleLoaderState))
 
@@ -433,7 +433,7 @@ func runGet(ctx context.Context, cmd *base.Command, args []string) {
 	}
 }
 
-func updateTools(loaderstate *modload.State, ctx context.Context, queries []*query, opts *modload.WriteOpts) {
+func updateTools(loaderstate *modload.State, ctx context.Context, r *resolver, queries []*query, opts *modload.WriteOpts) {
 	pkgOpts := modload.PackageOpts{
 		VendorModulesInGOROOTSrc: true,
 		LoadTests:                *getT,
@@ -457,6 +457,16 @@ func updateTools(loaderstate *modload.State, ctx context.Context, queries []*que
 			opts.AddTools = append(opts.AddTools, m.Pkgs...)
 		}
 	}
+
+	mg, err := modload.LoadModGraph(loaderstate, ctx, "")
+	if err != nil {
+		toolchain.SwitchOrFatal(loaderstate, ctx, err)
+	}
+	r.buildList = mg.BuildList()
+	r.buildListVersion = make(map[string]string, len(r.buildList))
+	for _, m := range r.buildList {
+		r.buildListVersion[m.Path] = m.Version
+	}
 }
 
 // parseArgs parses command-line arguments and reports errors.
diff --git a/src/cmd/go/testdata/mod/github.com_go-logr_logr_v1.4.1.txt b/src/cmd/go/testdata/mod/github.com_go-logr_logr_v1.4.1.txt
new file mode 100644
index 0000000000..96550da6a5
--- /dev/null
+++ b/src/cmd/go/testdata/mod/github.com_go-logr_logr_v1.4.1.txt
@@ -0,0 +1,16 @@
+module github.com/go-logr/logr@v1.4.1
+
+Original import done via `go run addmod.go`. Dependencies have been manually
+reduced to the minimum required by the test `get_tool_issue_74691`.
+-- .mod --
+module github.com/go-logr/logr
+
+go 1.18
+-- .info --
+{"Version":"v1.4.1","Time":"2023-12-21T15:57:58Z","Origin":{"VCS":"git","URL":"https://github.com/go-logr/logr","Hash":"dcdc3f2cd12e8a5c4e2a6712d6958c90e2e5bd98","Ref":"refs/tags/v1.4.1"}}
+-- go.mod --
+module github.com/go-logr/logr
+
+go 1.18
+-- logr.go --
+package logr
diff --git a/src/cmd/go/testdata/mod/github.com_go-logr_logr_v1.4.3.txt b/src/cmd/go/testdata/mod/github.com_go-logr_logr_v1.4.3.txt
new file mode 100644
index 0000000000..c5cb4f90d1
--- /dev/null
+++ b/src/cmd/go/testdata/mod/github.com_go-logr_logr_v1.4.3.txt
@@ -0,0 +1,16 @@
+module github.com/go-logr/logr@v1.4.3
+
+Original import done via `go run addmod.go`. Dependencies have been manually
+reduced to the minimum required by the test `get_tool_issue_74691`.
+-- .mod --
+module github.com/go-logr/logr
+
+go 1.18
+-- .info --
+{"Version":"v1.4.3","Time":"2025-05-19T04:56:57Z","Origin":{"VCS":"git","URL":"https://github.com/go-logr/logr","Hash":"38a1c47ef633fa6b2eee6b8f2e1371ba8626e557","Ref":"refs/tags/v1.4.3"}}
+-- go.mod --
+module github.com/go-logr/logr
+
+go 1.18
+-- logr.go --
+package logr
diff --git a/src/cmd/go/testdata/mod/github.com_golangci_golangci-lint_v2_v2.10.1.txt b/src/cmd/go/testdata/mod/github.com_golangci_golangci-lint_v2_v2.10.1.txt
new file mode 100644
index 0000000000..cdef3835b9
--- /dev/null
+++ b/src/cmd/go/testdata/mod/github.com_golangci_golangci-lint_v2_v2.10.1.txt
@@ -0,0 +1,22 @@
+module github.com/golangci/golangci-lint/v2@latest
+
+Original import done via `go run addmod.go`. Dependencies have been manually
+reduced to the minimum required by the test `get_tool_issue_74691`.
+-- .mod --
+module github.com/golangci/golangci-lint/v2
+
+// The minimum Go version must always be latest-1.
+// This version should never be changed outside of the PR to add the support of newer Go version.
+// Only golangci-lint maintainers are allowed to change it.
+go 1.25.0
+
+require github.com/securego/gosec/v2 v2.23.0
+-- .info --
+{"Version":"v2.10.1"}
+-- cmd/golangci-lint/main.go --
+package main
+
+import _ "github.com/securego/gosec/v2/rules"
+
+func main()
+
diff --git a/src/cmd/go/testdata/mod/github.com_securego_gosec_v2_v2.23.0.txt b/src/cmd/go/testdata/mod/github.com_securego_gosec_v2_v2.23.0.txt
new file mode 100644
index 0000000000..90e54a5179
--- /dev/null
+++ b/src/cmd/go/testdata/mod/github.com_securego_gosec_v2_v2.23.0.txt
@@ -0,0 +1,30 @@
+module github.com/securego/gosec/v2@v2.23.0
+
+Original import done via `go run addmod.go`. Dependencies have been manually
+reduced to the minimum required by the test `get_tool_issue_74691`.
+-- .mod --
+module github.com/securego/gosec/v2
+
+require (
+  example.com v1.0.0
+)
+
+require (
+  github.com/go-logr/logr v1.4.3 // indirect
+)
+
+go 1.25.0
+-- .info --
+{"Version":"v2.23.0","Time":"2026-02-10T14:47:11Z","Origin":{"VCS":"git","URL":"https://github.com/securego/gosec","Hash":"398ad549bbf1a51dc978fd966169f660c59774de","Ref":"refs/tags/v2.23.0"}}
+-- go.mod --
+module github.com/securego/gosec/v2
+
+require example.com v1.0.0
+
+go 1.25.0
+-- rules/rules_a.go --
+package rules
+
+import _ "example.com" // pull in a pre-module-pruning module (doesn't declare go version in go.mod)
+
+
diff --git a/src/cmd/go/testdata/mod/k8s.io_klog_v2_v2.130.1.txt b/src/cmd/go/testdata/mod/k8s.io_klog_v2_v2.130.1.txt
new file mode 100644
index 0000000000..2794d50eb4
--- /dev/null
+++ b/src/cmd/go/testdata/mod/k8s.io_klog_v2_v2.130.1.txt
@@ -0,0 +1,22 @@
+Using requirements of .k8s.io/klog/v2 v2.130.1
+
+Original import done via `go run addmod.go`. Dependencies have been manually
+reduced to the minimum required by the test `get_tool_issue_74691`.
+-- .mod --
+module k8s.io/klog/v2
+
+go 1.21
+
+require github.com/go-logr/logr v1.4.1
+-- .info --
+{"Version":"v2.130.1"}
+-- go.mod --
+module k8s.io/klog/v2
+
+go 1.21
+
+require github.com/go-logr/logr v1.4.1
+-- foo.go --
+package foo
+
+import _ "github.com/go-logr/logr"
diff --git a/src/cmd/go/testdata/script/get_tool_issue74691.txt b/src/cmd/go/testdata/script/get_tool_issue74691.txt
new file mode 100644
index 0000000000..44617ffe34
--- /dev/null
+++ b/src/cmd/go/testdata/script/get_tool_issue74691.txt
@@ -0,0 +1,13 @@
+# Regression test for https://go.dev/issue/74691.
+
+go mod init gonzo
+go get k8s.io/klog/v2@v2.130.1
+go mod tidy
+go build ./...
+go get -tool github.com/golangci/golangci-lint/v2/cmd/golangci-lint
+go build ./...
+
+-- main.go --
+package main
+import _ "k8s.io/klog/v2"
+func main() {}