Skip to content

Automated Dependency Updates for Go Modules

Categories: golang

Renovate supports updating Go Modules dependencies.

File Matching

By default, Renovate will check any files matching the following regular expression: (^|/)go\.mod$.

For details on how to extend a manager's fileMatch value, please follow this link.

Supported datasources

This manager supports extracting the following datasources: go, golang-version.

Default config

{
  "fileMatch": [
    "(^|/)go\\.mod$"
  ],
  "pinDigests": false
}

Additional Information

Post-Update Options

You might be interested in the following postUpdateOptions:

  1. gomodTidy - if you'd like Renovate to run go mod tidy after every update before raising the PR
    1. This is implicitly enabled for major updates if the user has enabled the option gomodUpdateImportPaths
  2. gomodTidy1.17 - if you'd like Renovate to run go mod tidy -compat=1.17 after every update before raising the PR
  3. gomodTidyE - if you'd like Renovate to run go mod tidy -e after every update before raising the PR
  4. gomodUpdateImportPaths - if you'd like Renovate to update your source import paths on major updates before raising the PR
  5. gomodMassage - to enable massaging of all replace statements prior to running go so that they will be ignored

When Renovate is running using binarySource=docker (such as in the Mend Renovate App) then it will pick the latest compatible version of Go to run, i.e. the latest 1.x release. Even if the go.mod has a version like go 1.14, Renovate will treat it as a ^1.14 constraint and not =1.14.

Indirect updates are disabled by default. To enable them, add a package rule such as:

{
  "packageRules": [
    {
      "matchManagers": ["gomod"],
      "matchDepTypes": ["indirect"],
      "enabled": true
    }
  ]
}

Private Modules Authentication

Before running the go commands to update the go.sum, Renovate exports git insteadOf directives in environment variables.

The following logic is executed prior to "artifacts" updating:

The token from the hostRules entry matching hostType=github and matchHost=api.github.com is added as the default authentication for github.com. For those running against github.com, this token will be the default platform token.

Next, all hostRules with both a token or username/password and matchHost will be fetched, except for any github.com one from above.

Rules from this list are converted to environment variable directives if they match any of the following characteristics:

  • No hostType is defined, or
  • hostType is go, or
  • hostType is a platform (github, gitlab, azure, etc.)

Major upgrades of dependencies

Major upgrades in Go are different from most other ecosystems, because both the version and module name need to be changed. It is very common that such upgrades require changes to application code, which Renovate doesn't do.

By default, Renovate will make such change in the go.mod files but nothing else - the rest is up to you. If you add gomodUpdateImportPaths to postUpdateOptions then Renovate will also use a third-party tool to migrate import paths within application code, but there may still be actual application logic which needs to be changed too.

Ultimately: it is known and unavoidable that the majority of major Go upgrades won't be immediately mergeable. You might prefer to configure such major updates with dependencyDashboardApproval=true so that you can request them on demand, on supported platforms.

Open items

The below list of features and bugs were current when this page was generated on October 12, 2024.

Feature requests

  • Support vendored major upgrades for Go #21010
  • Indirect dependencies in dependent go modules need to be updated #12999
  • lockfile maintenance for go.mod files #9578
  • Set GOCACHE when updating go artifacts #6225
  • Support Bazel go_repository "sum" field #4402

Bug reports

  • datasource/go: Renovate wants to "upgrade" to v1 digest from v2 #19756
  • Renovate on Gitlab fails to lookup go dependency gonum.org/v1/gonum #19667