Dependabot-core: Run `go mod tidy` in Go projects

Pinging @hmarr who's currently rewriting our go mod support!

@TheRedSpy15 - I'm with you, I'd love to add go mod tidy support. It's a bit tricky currently, as we'd need to clone the entire repo (go mod tidy looks at your source code to determine what should be present in the go.mod), and Dependabot is currently only set up to fetch individual dependency files.

However, (optionally) cloning the whole repo is something we'd like to do at some point, as it'd also let us handle major version updates for Go modules, and help us with vendoring support.

Actually, maybe there's a more overarching need to run any command as part of generating the PR? I would love to run a certain Makefile command if a submodule updates for instance (Re-generate the GRPC code when the submodule with .proto files is updated for instnace). Seems that his would also fit within that

Sounds like a great use case for GitHub Actions. You could run an action to regenerate the GRPC code and push a new commit to any PR that touches a .proto file, or run go mod tidy on PRs tagged with dependencies.

go mod vendor would be another command that would be useful, but it looks like similar problem to tidy, you don't have the whole repo. Maybe something we can do with an action as well in the meantime.

Vendoring is on my list, too. Once we're able to make larger changes across the repo, we should be able to handle vendoring as well as go mod tidy.

I have about 80+ repositories in this org alone I'd like to use this on: https://github.com/terraform-providers but we still vendor until we get a module proxy setup.

Also really keen to have go mod vendor

Are there any updates on this issue? We hope that go mod tidy is executed for Go modules update.

We've been busy with the acquisition recently so haven't made progress on this yet. I'm hoping we'll be able to build out better Go support over the next few months though.

go mod tidy would be great!

I'm also going to chime in on vendoring support. Ideally, I'd prefer it if both go modules and dep were supported, since my org has a couple repos where we rely on tools that aren't module-friendly yet, and thus won't be migrating those repos over for a while.

Hi,
Any update on this?

Afraid not - the Dependabot team is still tiny and working to get to 100% rollout for automated security fixes before tackling additional feature work.

Is there a way to help?

I don't think so - as @hmarr says above this would be a pretty major change as we'd need to start cloning your repo rather than just fetching your dependency files, which in turn would need a different infrastructure setup to support it.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

I think this issue should be kept open.

My current workaround is using this workflow to remove go.sum and exec a go mod tidy and push changes.

As another solution, I made https://github.com/marketplace/actions/go-mod-tidy-pr

We use -mod=readonly in our workflows and get this error on the PRs opened by the bot:

go: updates to go.sum needed, disabled by -mod=readonly

We use -mod=readonly in our workflows and get this error on the PRs opened by the bot:

go: updates to go.sum needed, disabled by -mod=readonly

same here! The only solution for us so far is to manually run a go mod tidy on the same branch as the PR, taking away from the lovely automation that we want 😢

We're starting to roll out this feature on the GH native version of Dependabot, if anyone would like to preview this, please let me know which repo or account you'd like it enabled on.

https://github.blog/changelog/2020-10-19-dependabot-go-mod-tidy-and-vendor-support/ 🎉

Is this expected to be enabled for all repositories now? As best I can tell, we're not seeing it yet.

For example, this PR from Dependabot didn't include these go mod tidy updates (or this Dependabot PR from last week). The same for this version bump and these go mod tidy changes.

Thanks for this great tooling, we really find it useful and appreciate it!

Is this expected to be enabled for all repositories now? As best I can tell, we're not seeing it yet.

For example, this PR from Dependabot didn't include these go mod tidy updates (or this Dependabot PR from last week). The same for this version bump and these go mod tidy changes.

Thanks for this great tooling, we really find it useful and appreciate it!

It turns out we needed an admin to login to the Dependabot dashboard and have the bot generate PRs like https://github.com/submariner-io/submariner/pull/1033 to update to the new GH-driven version. Thanks!

Is this expected to be enabled for all repositories now? As best I can tell, we're not seeing it yet.
For example, this PR from Dependabot didn't include these go mod tidy updates (or this Dependabot PR from last week). The same for this version bump and these go mod tidy changes.
Thanks for this great tooling, we really find it useful and appreciate it!

It turns out we needed an admin to login to the Dependabot dashboard and have the bot generate PRs like submariner-io/submariner#1033 to update to the new GH-driven version. Thanks!

Happy you got it to work @dfarrell07, I'm slightly surprised it didn't work for dependabot-preview, but if you're able to use the GH native version that's much better 🎉

This doesn't work for dependabot-preview in our case as well. go mod tidy is not run.

But this is not really the root of the problem. When running go mod tidy it will by side effect add a line that it's actually missing when updating:

Dependabot adds this line:

github.com/google/uuid v1.1.4/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=

But misses this line:

github.com/google/uuid v1.1.4 h1:0ecGp3skIrHWPNGPJDaBIghfA6Sp7Ruo2Io8eLKzWm0=

Then running go build (or any other go command) locally fixes it. Running go mod tidy also fixes it, but not because it removed the older versions.

In summary, looks like dependabot preview (without go mod tidy) is completely broken currently, unless I understand this wrong.

I can confirm @juanibiapina statements.

PRs opened by dependabot do not pass my CI pipeline due to missing lines which would be generated by go mod tidy.

See: https://github.com/sylr/prometheus-azure-exporter/pull/190

I can confirm @juanibiapina statements.

PRs opened by dependabot do not pass my CI pipeline due to missing lines which would be generated by go mod tidy.

See: sylr/prometheus-azure-exporter#190

I'd recommend upgrading to the GH native version of dependabot. If you log into dependabot.com there should be a button that handles the migration for you. Go mod tidy should run as expected there 👍

Thank you @jurre! Everything is good now 👍