Automated Dependency Updates for Go Modules¶
Renovate supports upgrading dependencies in go.mod
files and associated go.sum
checksums.
If you're self-hosting Renovate, you may use these environment variables:
GOPROXY
GONOPROXY
GOPRIVATE
GOINSECURE
To learn what these variables do, read the Go Modules Reference about theGOPROXY
protocol.
How It Works¶
- Renovate searches in each repository for any
go.mod
files - Renovate extracts existing dependencies from
require
statements - Renovate resolves the dependency's source repository and checks for SemVer tags if found. Otherwise commits and
v0.0.0-....
syntax will be used - If Renovate finds an update, Renovate will update
go.mod
to the new value - Renovate runs
go get
to update thego.sum
files (you can configure which directories are included using thegoGetDirs
option) - If the user has enabled the option
gomodUpdateImportPaths
in thepostUpdateOptions
array, then Renovate uses mod to update import paths on major updates, which can update any Go source file - If the user has any of the available
gomodTidy
options (e.g.gomodTidy1.17
) in thepostUpdateOptions
, then Renovate runsgo mod tidy
with the respective options (multiple options are allowed). go mod vendor
is run if vendored modules are detected- A PR will be created with
go.mod
,go.sum
, and any updated vendored files updated in the one commit - If the source repository has either a "changelog" file or uses GitHub releases, then Release Notes for each version will be embedded in the generated PR
Enabling Go Modules Updating¶
Renovate updates Go Modules by default. To install Renovate Bot itself, either enable the Renovate App on GitHub, or check out Renovate OSS for self-hosted.
Technical Details¶
Replace massaging¶
Renovate can massage replace
statements it finds prior to running go
commands, and then massage them back afterwards.
This capability was added - and originally default behavior - because relative replace
statements outside of the current repo will not work when Renovate clones the repo locally.
On the other hand, this massaging of replace
statements may lead to unexpected results, especially because go mod tidy
may not fully tidy the go.sum
if it is missing the replace
directives in go.mod
.
It has therefore been disabled by default.
To enable this replace massaging behavior, add gomodMassage
to your postUpdateOptions
array.
Module Tidying¶
Go Modules tidying is not enabled by default, and is opt-in via the postUpdateOptions
config option.
The reason for this is that a go mod tidy
command may make changes to go.mod
and go.sum
that are completely unrelated to the updated module(s) in the PR, and so may be confusing to some users.
Module Vendoring¶
Vendoring of Go Modules is done automatically if vendor/modules.txt
is present.
Renovate will commit all files changed within the vendor/
folder.
Note
Renovate does not support vendoring major upgrades of Go modules. Follow issue #21010.
Go binary version¶
By default, Renovate will keep up with the latest version of the go
binary.
You can force Renovate to use a specific version of Go by setting a constraint.
{
"constraints": {
"go": "1.23"
}
}
We do not support patch level versions for the minimum go
version.
This means you cannot use go 1.23.3
, but you can use go 1.23
as a constraint.
Custom registry support, and authentication¶
This example shows how you can use a hostRules
configuration to configure Renovate for use with a custom private Go module source using Git to pull the modules when updating go.sum
and vendored modules.
All token hostRules
with a hostType
(e.g. github
, gitlab
, bitbucket
, ... ) and host rules without a hostType
are setup for authentication.
module.exports = {
hostRules: [
{
matchHost: 'github.enterprise.com',
token: process.env.GO_GITHUB_TOKEN,
hostType: 'github',
},
{
matchHost: 'someGitHost.enterprise.com',
token: process.env.GO_GIT_TOKEN,
},
],
};