Automated Dependency Updates for Go Modules
Categories: golang
Renovate supports updating Go Modules dependencies.
File Matching¶
By default, Renovate will check any files matching the following regular expression: (^|/)go\.mod$.
For details on how to extend a manager's fileMatch value, please follow this link.
Supported datasources¶
This manager supports extracting the following datasources: go, golang-version.
Default config¶
{
"fileMatch": [
"(^|/)go\\.mod$"
],
"pinDigests": false
}
Additional Information¶
Post-Update Options¶
You might be interested in the following postUpdateOptions:
gomodTidy- if you'd like Renovate to rungo mod tidyafter every update before raising the PR- This is implicitly enabled for major updates if the user has enabled the option
gomodUpdateImportPaths
- This is implicitly enabled for major updates if the user has enabled the option
gomodTidy1.17- if you'd like Renovate to rungo mod tidy -compat=1.17after every update before raising the PRgomodTidyE- if you'd like Renovate to rungo mod tidy -eafter every update before raising the PRgomodUpdateImportPaths- if you'd like Renovate to update your source import paths on major updates before raising the PRgomodMassage- to enable massaging of allreplacestatements prior to runninggoso that they will be ignored
When Renovate is running using binarySource=docker (such as in the Mend Renovate App) then it will pick the latest compatible version of Go to run, i.e. the latest 1.x release.
Even if the go.mod has a version like go 1.22, Renovate will treat it as a ^1.22 constraint and not =1.22.
Indirect updates are disabled by default. To enable them, add a package rule such as:
{
"packageRules": [
{
"matchManagers": ["gomod"],
"matchDepTypes": ["indirect"],
"enabled": true
}
]
}
Private Modules Authentication¶
Before running the go commands to update the go.sum, Renovate exports git insteadOf directives in environment variables.
The following logic is executed prior to "artifacts" updating:
The token from the hostRules entry matching hostType=github and matchHost=api.github.com is added as the default authentication for github.com.
For those running against github.com, this token will be the default platform token.
Next, all hostRules with both a token or username/password and matchHost will be fetched, except for any github.com one from above.
Rules from this list are converted to environment variable directives if they match any of the following characteristics:
- No
hostTypeis defined, or hostTypeisgo, orhostTypeis a platform (github,gitlab,azure, etc.)
Major upgrades of dependencies¶
Major upgrades in Go are different from most other ecosystems, because both the version and module name need to be changed. It is very common that such upgrades require changes to application code, which Renovate doesn't do.
By default, Renovate will make such change in the go.mod files but nothing else - the rest is up to you.
If you add gomodUpdateImportPaths to postUpdateOptions then Renovate will also use a third-party tool to migrate import paths within application code, but there may still be actual application logic which needs to be changed too.
Ultimately: it is known and unavoidable that the majority of major Go upgrades won't be immediately mergeable.
You might prefer to configure such major updates with dependencyDashboardApproval=true so that you can request them on demand, on supported platforms.
Open items¶
The below list of features and bugs were current when this page was generated on November 21, 2024.
Feature requests¶
- Support vendored major upgrades for Go #21010
- Indirect dependencies in dependent go modules need to be updated #12999
- lockfile maintenance for go.mod files #9578
- Set GOCACHE when updating go artifacts #6225
- Support Bazel go_repository "sum" field #4402