make GarbleActionID a full sha256 hash

This is in preparation for the switch to Go's cache package,
whose ActionID type is also a full sha256 hash with 32 bytes.
We were using "short" hashes as shown by `go tool buildid`,
since that was consistent and 15 bytes was generally enough.

hash.go

@@ -47,11 +47,8 @@ func decodeBuildIDHash(str string) []byte {
 }
 
 // encodeBuildIDHash encodes a build ID hash in base64, just like cmd/go does.
-func encodeBuildIDHash(h []byte) string {
+func encodeBuildIDHash(h [sha256.Size]byte) string {
-	if len(h) != buildIDHashLength {
+	return base64.RawURLEncoding.EncodeToString(h[:buildIDHashLength])
-		panic(fmt.Sprintf("hashToString expects a hash of length %d, got %d", buildIDHashLength, len(h)))
-	}
-	return base64.RawURLEncoding.EncodeToString(h)
 }
 
 func alterToolVersion(tool string, args []string) error {
@@ -101,7 +98,7 @@ var (
 //
 // This includes garble's own version, obtained via its own binary's content ID,
 // as well as any other options which affect a build, such as GOGARBLE and -tiny.
-func addGarbleToHash(inputHash []byte) []byte {
+func addGarbleToHash(inputHash []byte) [sha256.Size]byte {
 	// Join the two content IDs together into a single base64-encoded sha256
 	// sum. This includes the original tool's content ID, and garble's own
 	// content ID.
@@ -119,8 +116,9 @@ func addGarbleToHash(inputHash []byte) []byte {
 	appendFlags(hasher, true)
 	// addGarbleToHash returns the sum buffer, so we need a new copy.
 	// Otherwise the next use of the global sumBuffer would conflict.
-	sumBuffer := make([]byte, 0, sha256.Size)
+	var sumBuffer [sha256.Size]byte
-	return hasher.Sum(sumBuffer)[:buildIDHashLength]
+	hasher.Sum(sumBuffer[:0])
+	return sumBuffer
 }
 
 // appendFlags writes garble's own flags to w in string form.
@@ -202,7 +200,7 @@ func toUpper(b byte) byte { return b - ('a' - 'A') }
 func runtimeHashWithCustomSalt(salt []byte) uint32 {
 	hasher.Reset()
 	if !flagSeed.present() {
-		hasher.Write(sharedCache.ListedPackages["runtime"].GarbleActionID)
+		hasher.Write(sharedCache.ListedPackages["runtime"].GarbleActionID[:])
 	} else {
 		hasher.Write(flagSeed.bytes)
 	}
@@ -225,7 +223,7 @@ func entryOffKey() uint32 {
 
 func hashWithPackage(pkg *listedPackage, name string) string {
 	if !flagSeed.present() {
-		return hashWithCustomSalt(pkg.GarbleActionID, name)
+		return hashWithCustomSalt(pkg.GarbleActionID[:], name)
 	}
 	// Use a separator at the end of ImportPath as a salt,
 	// to ensure that "pkgfoo.bar" and "pkg.foobar" don't both hash
@@ -239,7 +237,8 @@ func hashWithStruct(strct *types.Struct, fieldName string) string {
 	// struct type "canonical"?
 	fieldsSalt := []byte(strct.String())
 	if !flagSeed.present() {
-		fieldsSalt = addGarbleToHash(fieldsSalt)
+		withGarbleHash := addGarbleToHash(fieldsSalt)
+		fieldsSalt = withGarbleHash[:]
 	}
 	return hashWithCustomSalt(fieldsSalt, fieldName)
 }

main.go

@@ -951,7 +951,7 @@ func transformCompile(args []string) ([]string, error) {
 	}
 
 	// Literal obfuscation uses math/rand, so seed it deterministically.
-	randSeed := curPkg.GarbleActionID
+	randSeed := curPkg.GarbleActionID[:]
 	if flagSeed.present() {
 		randSeed = flagSeed.bytes
 	}

shared.go

@@ -5,6 +5,7 @@ package main
 
 import (
 	"bytes"
+	"crypto/sha256"
 	"encoding/gob"
 	"encoding/json"
 	"errors"
@@ -166,7 +167,7 @@ type listedPackage struct {
 	// with Garble's own inputs as per addGarbleToHash.
 	// It is set even when ToObfuscate is false, as it is also used for random
 	// seeds and build cache paths, and not just to obfuscate names.
-	GarbleActionID []byte `json:"-"`
+	GarbleActionID [sha256.Size]byte `json:"-"`
 
 	// ToObfuscate records whether the package should be obfuscated.
 	// When true, GarbleActionID must not be empty.