v2.1.0 doesn't match what is cached in proxy.golang.org

[ianling]

When I get okta-jwt-verifier-golang v2.1.0 using the following commands, they have different results.

First of all, go clean -modcache to ensure we are fetching packages from the internet.

Default: (GOSUMDB and GOPROXY enabled)

> GOSUMDB=sum.golang.org GOPROXY='https://proxy.golang.org' go get github.com/okta/okta-jwt-verifier-golang/[email protected]
[works fine]

GOPROXY disabled (and remove go.sum so we don't have a checksum saved):

> rm go.sum && GOSUMDB=sum.golang.org GOPROXY=direct go get github.com/okta/okta-jwt-verifier-golang/[email protected]
go: downloading github.com/okta/okta-jwt-verifier-golang/v2 v2.1.0
verifying github.com/okta/okta-jwt-verifier-golang/[email protected]: checksum mismatch
	downloaded: h1:SnGf3apfm+7pKE3g2rh7cmr9fj1epg/8A8eyO3Ui0vU=
	sum.golang.org: h1:kxe6tAiUjp1mN5YIXtD1mlMD26scHADVFkXMrSLQJnI=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

GOPROXY and GOSUMDB disabled:

> rm go.sum && GOSUMDB=off GOPROXY=direct go get github.com/okta/okta-jwt-verifier-golang/[email protected]
[works fine]

If I vendor the two versions and diff them, this is the difference:

vendor/github.com/okta/okta-jwt-verifier-golang/v2/.goreleaser.yaml vendor_direct/github.com/okta/okta-jwt-verifier-golang/v2/.goreleaser.yaml
0a1
> version: 2
10c11
<   skip: true
---
>   disable: true

It appears that the v2.1.0 release Github Actions workflow was run several times with different commits: https://github.com/okta/okta-jwt-verifier-golang/actions

I think that pushing a new v2.1.1 release would fix this issue.