I have upgraded my project to use go 1.11.2 modules support. However, I am running into a very annoying problem. The go.mod file keeps changing in CI. It is a different file each day. Today the lines in go.sum is:

golang.org/x/net v0.0.0-20190213061140-3a22650c66bd h1:HuTn7WObtcDo9uEEU7rEqL0jYthdXAmZ6PP+meazmaU=
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=

The go.mod is:

golang.org/x/net v0.0.0-20190213061140-3a22650c66bd // indirect

I did not update any dependencies. They are not locking! Why not? This is a really big problem if dependencies are constantly changing. However, I do not see others screaming about this problem. So I must be doing something wrong.

I am using go mod tidy to sync it up before a git diff --exit-code. This works locally but not on Travis-CI. I think it is a problem because on Travis-CI it needs to grab the dependencies and since these dependencies do not use semantic versioning, Go grabs the latest, which changes on every commit to master. If you agree this is the problem, how do I lock dependencies with Go modules?

The wiki explains how to consume a package that hasn't opted into go modules

Here's a relevant snippet:

If the repository does not have any valid semver tags, then the repository's version will be recorded with a "pseudo-version" such as v0.0.0-20171006230638-a6e239ea1c69 (which includes a timestamp and a commit hash, and which are designed to allow a total ordering across versions recored in go.mod and to make it easier to reason about which recorded versions are "later" than another recorded version).

You can require specific commit hashes too:

When needed, more specific versions of dependencies can be chosen with commands such as go get foo@v1.2.3, go get foo@master, go get foo@e3702bed2, or by editing go.mod directly.