buildGoModule: Deprecate vendorSha256 with throw

Ignore vendorSha256 when vendorHash is specified.

Throw when vendorHash isn't specified:
- "buildGoModule: Expect vendorHash instead of vendorSha256" when
  vendorSha256 is specified.
- "buildGoModule: vendorHash is missing" otherwise.

`goModules.outputHashAlgo` is specified as null when vendorHash is not
empty, "sha256" otherwise.

Co-authored-by: zowoq <59103226+zowoq@users.noreply.github.com>

nixos/doc/manual/release-notes/rl-2405.section.md

@@ -179,6 +179,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
   "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`
   where the file `secret_file` contains the string `mysecret`.
 
+- `buildGoModule` now throws error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias.
+
 - Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)
 
 - `writeReferencesToFile` is deprecated in favour of the new trivial build helper `writeClosure`. The latter accepts a list of paths and has an unambiguous name and cleaner implementation.

pkgs/build-support/go/module.nix

@@ -16,7 +16,12 @@
   #
   # if vendorHash is null, then we won't fetch any dependencies and
   # rely on the vendor folder within the source.
-, vendorHash ? args'.vendorSha256 or (throw "buildGoModule: vendorHash is missing")
+, vendorHash ? throw (
+    if args'?vendorSha256 then
+      "buildGoModule: Expect vendorHash instead of vendorSha256"
+    else
+      "buildGoModule: vendorHash is missing"
+  )
   # Whether to delete the vendor folder supplied with the source.
 , deleteVendor ? false
   # Whether to fetch (go mod download) and proxy the vendor directory.
@@ -49,7 +54,6 @@
 }@args':
 
 assert goPackagePath != "" -> throw "`goPackagePath` is not needed with `buildGoModule`";
-assert (args' ? vendorHash && args' ? vendorSha256) -> throw "both `vendorHash` and `vendorSha256` set. only one can be set.";
 
 let
   args = removeAttrs args' [ "overrideModAttrs" "vendorSha256" "vendorHash" ];
@@ -145,7 +149,9 @@ let
 
     outputHashMode = "recursive";
     outputHash = vendorHash;
-    outputHashAlgo = if args' ? vendorSha256 || vendorHash == "" then "sha256" else null;
+    # Handle empty vendorHash; avoid
+    # error: empty hash requires explicit hash algorithm
+    outputHashAlgo = if vendorHash == "" then "sha256" else null;
   }).overrideAttrs overrideModAttrs;
 
   package = stdenv.mkDerivation (args // {
@@ -294,8 +300,7 @@ let
 
     disallowedReferences = lib.optional (!allowGoReference) go;
 
-    passthru = passthru // { inherit go goModules vendorHash; }
-                        // lib.optionalAttrs (args' ? vendorSha256 ) { inherit (args') vendorSha256; };
+    passthru = passthru // { inherit go goModules vendorHash; };
 
     meta = {
       # Add default meta information
@@ -303,7 +308,6 @@ let
     } // meta;
   });
 in
-lib.warnIf (args' ? vendorSha256) "`vendorSha256` is deprecated. Use `vendorHash` instead"
 lib.warnIf (buildFlags != "" || buildFlagsArray != "")
   "Use the `ldflags` and/or `tags` attributes instead of `buildFlags`/`buildFlagsArray`"
 lib.warnIf (builtins.elem "-buildid=" ldflags) "`-buildid=` is set by default as ldflag by buildGoModule"