fix(go_modules): preserve unrelated go.mod checksums in go.sum

When Go tooling (go get, go mod tidy) runs during a dependency update,
it can prune go.mod checksum entries for indirect/transitive dependencies
that aren't strictly needed for building. This causes Dependabot PRs to
unexpectedly remove hash entries from go.sum that go mod tidy would keep.

Add reconcile_go_sum to detect go.mod checksum lines that were removed
for modules NOT being updated, and restore them in sorted order.

Fixes #14872

Author: v-HaripriyaC

go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb

@@ -222,10 +222,12 @@ def update_files
               substitute_all(substitutions.invert)
             end
 
-            updated_go_sum = original_go_sum ? File.read("go.sum") : nil
+            updated_go_sum = T.let(nil, T.nilable(String))
+            updated_go_sum = reconcile_go_sum(original_go_sum, File.read("go.sum")) if original_go_sum
+
             updated_go_mod = File.read("go.mod")
 
-            { go_mod: updated_go_mod, go_sum: updated_go_sum }
+            { go_mod: updated_go_mod, go_sum: updated_go_sum }.compact
           end
         end
 
@@ -417,6 +419,49 @@ def build_module_stubs(stub_paths)
           end
         end
 
+        sig { params(original_go_sum: String, updated_go_sum: String).returns(String) }
+        def reconcile_go_sum(original_go_sum, updated_go_sum)
+          original_lines = original_go_sum.lines(chomp: true)
+          updated_lines = updated_go_sum.lines(chomp: true)
+          updated_set = updated_lines.to_set
+          merged_lines = updated_lines.dup
+
+          original_lines.each do |line|
+            next unless go_mod_checksum_line?(line)
+            next if updated_set.include?(line)
+
+            module_identifier = go_sum_module_identifier(line)
+            next unless module_identifier
+            next if updated_dependency_names.include?(module_identifier)
+            next unless zip_hash_still_present?(line, updated_set)
+
+            merged_lines << line
+          end
+
+          merged_lines.sort!.join("\n") + "\n"
+        end
+
+        sig { params(line: String).returns(T::Boolean) }
+        def go_mod_checksum_line?(line)
+          line.include?("/go.mod h1:")
+        end
+
+        sig { params(line: String).returns(T.nilable(String)) }
+        def go_sum_module_identifier(line)
+          line.split(/\s+/, 2).first
+        end
+
+        sig { params(go_mod_line: String, updated_set: T::Set[String]).returns(T::Boolean) }
+        def zip_hash_still_present?(go_mod_line, updated_set)
+          version_prefix = go_mod_line.sub(%r{/go\.mod\s.*}, "")
+          updated_set.any? { |line| line.start_with?("#{version_prefix} h1:") }
+        end
+
+        sig { returns(T::Set[String]) }
+        def updated_dependency_names
+          @updated_dependency_names ||= T.let(dependencies.to_set(&:name), T.nilable(T::Set[String]))
+        end
+
         # Given a go.mod file, find all `replace` directives pointing to a path
         # on the local filesystem, and return an array of pairs mapping the
         # original path to a hash of the path.

go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb

@@ -276,6 +276,77 @@ module github.com/dependabot/vgotest
               .not_to include(%(rsc.io/quote v1.4.0/go.mod h1:))
           end
 
+          context "when go tooling removes an unrelated go.mod checksum line" do
+            let(:removed_line) do
+              "gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E="
+            end
+            let(:zip_line) do
+              "gonum.org/v1/gonum v0.16.0 h1:JKbmSgVMFkFMDpGCixMRJCMEMmNhrsJuJqVDPMGPnQY="
+            end
+
+            it "restores the unrelated checksum line" do
+              allow(File).to receive(:read).and_call_original
+
+              original_go_sum = fixture("projects", project_name, "go.sum") +
+                                "#{zip_line}\n#{removed_line}\n"
+              updated_go_sum = original_go_sum.lines.reject { |line| line.chomp == removed_line }.join
+
+              allow(File).to receive(:read).with("go.sum").and_return(original_go_sum, updated_go_sum)
+
+              expect(updated_go_mod_content).to include(removed_line)
+            end
+          end
+
+          context "when the removed checksum belongs to the updated dependency" do
+            let(:removed_line) { "rsc.io/quote v1.4.0/go.mod h1:omethingoldchecksum=" }
+
+            it "does not restore the removed checksum line" do
+              allow(File).to receive(:read).and_call_original
+
+              original_go_sum = <<~GOSUM
+                rsc.io/quote v1.4.0 h1:oldchecksum=
+                #{removed_line}
+                rsc.io/sampler v1.3.0/go.mod h1:anexistingchecksum=
+              GOSUM
+
+              updated_go_sum = <<~GOSUM
+                rsc.io/quote v1.5.2 h1:newchecksum=
+                rsc.io/quote v1.5.2/go.mod h1:newgomodchecksum=
+                rsc.io/sampler v1.3.0/go.mod h1:anexistingchecksum=
+              GOSUM
+
+              allow(File).to receive(:read).with("go.sum").and_return(original_go_sum, updated_go_sum)
+
+              expect(updated_go_mod_content).not_to include(removed_line)
+            end
+          end
+
+          context "when a transitive dependency version is legitimately upgraded" do
+            let(:removed_line) { "golang.org/x/sys v0.0.0-20200116001909/go.mod h1:oldtransitivechecksum=" }
+
+            it "does not restore the removed checksum line" do
+              allow(File).to receive(:read).and_call_original
+
+              original_go_sum = <<~GOSUM
+                golang.org/x/sys v0.0.0-20200116001909 h1:oldziphash=
+                #{removed_line}
+                rsc.io/quote v1.4.0 h1:oldchecksum=
+                rsc.io/quote v1.4.0/go.mod h1:oldgomod=
+              GOSUM
+
+              updated_go_sum = <<~GOSUM
+                golang.org/x/sys v0.0.0-20220731174439 h1:newziphash=
+                golang.org/x/sys v0.0.0-20220731174439/go.mod h1:newtransitivechecksum=
+                rsc.io/quote v1.5.2 h1:newchecksum=
+                rsc.io/quote v1.5.2/go.mod h1:newgomodchecksum=
+              GOSUM
+
+              allow(File).to receive(:read).with("go.sum").and_return(original_go_sum, updated_go_sum)
+
+              expect(updated_go_mod_content).not_to include(removed_line)
+            end
+          end
+
           describe "a non-existent dependency with a pseudo-version" do
             let(:project_name) { "non_existent_dependency" }