Dependabot-core: Support vendoring for Go
Moved from https://github.com/dependabot/feedback/issues/187.
This needs a general strategy for supporting vendoring, but is also probably a sensible first language to look at (since vendoring in Go is so common).
greysteil
All 25 comments
I would love to see this feature in! I would go for a simple configuration variable to check if vendoring is enabled and then do something like this afterwards:
export GO111MODULE=on \
go mod tidy && \
go mod vendor && \
go mod verify
What do you think?
saschagrunert
on 2 May 2019
@greysteil Any ETA?
emirb
on 27 May 2019
I'm going to leave this one for @hmarr, but hopefully soon. We've done a bunch of the required background work here already, and GitHub themselves vendor their dependencies, so we're feeling it as an acute pain internally!
greysteil
on 27 May 2019
I guess we also have to take indirect dependencies into account. Dependabot should check them for updates, too.
saschagrunert
on 27 May 2019
This is our top priority for Go, but unfortunately we can't dedicate much time to Go right now. I'm hoping we'll be able to build our much more solid Go support (including vendoring) over the next few months.
hmarr
on 28 May 2019
A workaround function we've seen for Circle CI users, that vendors dependencies in an additional commit:
update-vendor:
<<: *docker_build_image
steps:
- checkout
- run: GO111MODULE=on go mod vendor
- run: |
git config --global user.email "[email protected]"
git config --global user.name "Friendly Robot"
git diff --quiet || ( \
git commit -am "vendor: go mod vendor" && \
git push origin "$(git rev-parse --abbrev-ref HEAD)" \
)
Any update on this feature request ?
This clearly is a blocker for my team to adopt dependabot :'(
ndeloof
on 25 Sep 2019
Another vote for this. Makes it impossible to use otherwise.
ggilley
on 21 Jan 2020
This breaks using dependabot with go1.14 and vendording. go1.14 does not allow an inconsistent vendor directory, so without automatic vendoring, we have to manually checkout each branch and do go mod vendor.
jan-xyz
on 19 May 2020
I was able to work around this limitation with a custom Workflow. The downside is that since we're adding a new commit Dependabot will no longer manage the PR. Proper upstream support is still desirable.
name: dependabot-gomod
on:
push:
branches:
- dependabot/go_modules/**
jobs:
go_mod_vendor:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v2
with:
go-version: 1.14.x
- uses: actions/checkout@v2
with:
# use a personal access token so that the push will trigger new actions
token: ${{ secrets.PAT_TOKEN }}
- name: vendor
run: |
go mod vendor
- name: tidy
run: |
go mod tidy
- name: commit changes
uses: stefanzweifel/[email protected]
with:
commit_message: Vendor and tidy go modules
commit_options: '--no-verify --signoff'
scothis
on 26 Jun 2020
hi 馃槃 Any chances I can help with this feature ?
rmasclef
on 22 Jul 2020
Hi all, we're gradually rolling out support for this on the GitHub native version of Dependabot, please let me know if you'd like to get early access to the feature and I'd be happy to enable it on your repo/account.
jurre
on 8 Oct 2020
ho yeah 馃憤
I'll be glad to be part of this early access program, is it possible to do it on a organisation level ?
rmasclef
on 8 Oct 2020
ho yeah 馃憤
I'll be glad to be part of this early access program, is it possible to do it on a organisation level ?
Yep, for sure
jurre
on 8 Oct 2020
Hi all, we're gradually rolling out support for this on the GitHub native version of Dependabot, please let me know if you'd like to get early access to the feature and I'd be happy to enable it on your repo/account.
Nice, excited to see this feature! :tada:
We'd be happy to test this in one of our repositories over at @form3tech. How can I contact you regarding the repository name?
hallabro
on 8 Oct 2020
ho yeah 馃憤
I'll be glad to be part of this early access program, is it possible to do it on a organisation level ?Yep, for sure
great ! So I have the same question as @hallabro 馃憤
rmasclef
on 8 Oct 2020
I'll reach out to you both via your public email, thanks for helping us verify this 馃憤
jurre
on 8 Oct 2020
I'll reach out to you both via your public email, thanks for helping us verify this 馃憤
would be happy to assist as well
suever
on 8 Oct 2020
I'll reach out to you both via your public email, thanks for helping us verify this 馃憤
would be happy to assist as well
Sweet, reaching out via email
jurre
on 9 Oct 2020
Id love to get on the early access!
iwarapter
on 10 Oct 2020
Saw this work on one of my repos that had a github action set up to run go mod vendor on any dependabot PRs. It worked perfect, my extra action did nothing since there were no changes, many thanks!
davidsbond
on 15 Oct 2020
Id love to get on the early access!
Apologies I missed this, but it's fully rolled out now
jurre
on 15 Oct 2020
just a quick note to say that this works pretty well (using it on >20 repos)
we are just missing the availability to update private vendors which, as I understand, is available on dependabot.com but not in github integration yet 馃憤
rmasclef
on 15 Oct 2020
just a quick note to say that this works pretty well (using it on >20 repos)
we are just missing the availability to update private vendors which, as I understand, is available on dependabot.com but not in github integration yet 馃憤
Happy to hear it, private repo's are definitely coming in the GH integration, we'll also support tidy and vendoring on dependabot.com soon-ish, as we get it for free now that it's available in dependabot-core
jurre
on 16 Oct 2020
jurre
on 19 Oct 2020
Related issues
exequiel09
路
4Comments
bennycode
路
3Comments
artzag
路
3Comments
kiprasmel
路
3Comments
Spomky
路
4Comments
Most helpful comment
Another vote for this. Makes it impossible to use otherwise.