fix(jsii-pacmak): remove GOSUMDB=off from Go target

[mrgrain]

The GOSUMDB=off environment variable was added in #2616 back in February 2021 as a workaround to reduce eventual consistency issues when newly published Go modules were not yet available in the Go checksum database. At the time, this was a pragmatic fix to avoid transient failures during go mod download.

However, disabling the checksum database prevents the Go toolchain from using sum.golang.org which is required for newer features like automatic toolchain management via the go directive in go.mod. Specifically, GOSUMDB=off breaks the ability of go work use and related commands to download and verify the correct Go runtime version automatically. This is an increasingly important feature as the Go ecosystem moves towards self-managing toolchains.

Beyond the functional issue, the Go module ecosystem has matured significantly since 2021. The checksum database is stable and eventual consistency is no longer a practical concern for published modules. Keeping GOSUMDB=off is both an unnecessary security trade-off (skipping module integrity verification) and now actively prevents useful toolchain features from working.

This change removes the GOSUMDB=off setting from the go() helper function in jsii-pacmak, restoring default Go behavior.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[ShadowCat567]

Will turning this off lead to an increase in eventual consistency issues?
Has the go ecosystem/our tooling evolved so we can turn GOSUMDB back on and not have to worry about the initial reason we turned it off resurfacing or do we not care and we are more concerned about being able to handle newer versions of go than an increase in eventual consistency issues?

[mrgrain]

Re adding this AI generated blurb I had removed.

Beyond the functional issue, the Go module ecosystem has matured significantly since 2021. The checksum database is stable and eventual consistency is no longer a practical concern for published modules. Keeping GOSUMDB=off is both an unnecessary security trade-off (skipping module integrity verification) and now actively prevents useful toolchain features from working.

There's no indication on the original PR or issue what the eventual consistency thing actually is. I'm also not aware of any wider problems w.r.t. in the Go ecosystem. The code already runs go mod tidy which is exactly the command that refreshed the checksums.

tl;dr It's unclear what the original problem was. So far I have seen no indication that it still exists. On the other hand we have a real problem to solve. I'm willing to risk this.

[mergify]

Thank you for contributing! ❤️ I will now look into making sure the PR is up-to-date, then proceed to try and merge it!

[mergify]

Merging (with squash)...

[mergify]

Merge Queue Status

Rule: default-squash

---

• ✅ Entered queue — 2026-02-25 14:48 UTC
• ✅ Checks passed · in-place
• ✅ Merged — 2026-02-25 14:48 UTC · at 84f61f9c1d08210d661a42a2f66be55f53d059c0

This pull request spent 10 seconds in the queue, with no time running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • fix(jsii-pacmak): remove GOSUMDB=off from Go target #5044
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • fix(jsii-pacmak): remove GOSUMDB=off from Go target #5044
• status-success=Integration test (jsii-pacmak)
• status-success=Unit Tests
• any of [🛡 GitHub branch protection]:
  • check-success = Integration test (jsii-pacmak)
  • check-neutral = Integration test (jsii-pacmak)
  • check-skipped = Integration test (jsii-pacmak)
• any of [🛡 GitHub branch protection]:
  • check-success = Build
  • check-neutral = Build
  • check-skipped = Build
• any of [🛡 GitHub branch protection]:
  • check-success = Unit Tests
  • check-neutral = Unit Tests
  • check-skipped = Unit Tests