Skip to content

Automated Dependency Updates for Go Modules

Categories: golang

Renovate supports updating Go Modules dependencies.

File Matching

By default, Renovate will check any files matching the following regular expression: (^|/)go\.mod$.

For details on how to extend a manager's fileMatch value, please follow this link.

Supported datasources

This manager supports extracting the following datasources: go, golang-version.

Default config

{
  "fileMatch": [
    "(^|/)go\\.mod$"
  ],
  "pinDigests": false
}

Additional Information

Post-Update Options

You might be interested in the following postUpdateOptions:

  1. gomodTidy - if you'd like Renovate to run go mod tidy after every update before raising the PR
  2. This is implicitly enabled for major updates if the user has enabled the option gomodUpdateImportPaths
  3. gomodTidy1.17 - if you'd like Renovate to run go mod tidy -compat=1.17 after every update before raising the PR
  4. gomodTidyE - if you'd like Renovate to run go mod tidy -e after every update before raising the PR
  5. gomodUpdateImportPaths - if you'd like Renovate to update your source import paths on major updates before raising the PR
  6. gomodMassage - to enable massaging of all replace statements prior to running go so that they will be ignored

When Renovate is running using binarySource=docker (such as in the Mend Renovate App) then it will pick the latest compatible version of Go to run, i.e. the latest 1.x release. Even if the go.mod has a version like go 1.14, Renovate will treat it as a ^1.14 constraint and not =1.14.

Indirect updates are disabled by default. To enable them, add a package rule such as:

{
  "packageRules": [
    {
      "matchManagers": ["gomod"],
      "matchDepTypes": ["indirect"],
      "enabled": true
    }
  ]
}

Private Modules Authentication

Before running the go commands to update the go.sum, Renovate exports git insteadOf directives in environment variables.

The following logic is executed prior to "artifacts" updating:

The token from the hostRules entry matching hostType=github and matchHost=api.github.com is added as the default authentication for github.com. For those running against github.com, this token will be the default platform token.

Next, all hostRules with both a token or username/password and matchHost will be fetched, except for any github.com one from above.

Rules from this list are converted to environment variable directives if they match any of the following characteristics:

  • No hostType is defined, or
  • hostType is go, or
  • hostType is a platform (github, gitlab, azure, etc.)

Open items

The below list of features and bugs were current when this page was generated on December 08, 2023.

Feature requests

  • Include PR body note when Go implicitly increases the go mod directive #25047
  • Update "toolchain" in go.mod #24427
  • Support vendored major upgrades for Go #21010
  • Indirect dependencies in dependent go modules need to be updated #12999
  • lockfile maintenance for go.mod files #9578
  • Set GOCACHE when updating go artifacts #6225
  • ignore "empty" Go module updates #5123
  • Support Bazel go_repository "sum" field #4402

Bug reports

  • datasource/go: Renovate wants to "upgrade" to v1 digest from v2 #19756
  • Renovate on Gitlab fails to lookup go dependency gonum.org/v1/gonum #19667