Automated Dependency Updates for Go Modules
Categories: golang
Renovate supports updating Go Modules dependencies.
File Matching¶
By default, Renovate will check any files matching the following regular expression: (^|/)go\.mod$
.
For details on how to extend a manager's fileMatch
value, please follow this link.
Supported datasources¶
This manager supports extracting the following datasources: go
, golang-version
.
Default config¶
{
"fileMatch": [
"(^|/)go\\.mod$"
],
"pinDigests": false
}
Additional Information¶
Post-Update Options¶
You might be interested in the following postUpdateOptions
:
gomodTidy
- if you'd like Renovate to rungo mod tidy
after every update before raising the PR- This is implicitly enabled for major updates if the user has enabled the option
gomodUpdateImportPaths
- This is implicitly enabled for major updates if the user has enabled the option
gomodTidy1.17
- if you'd like Renovate to rungo mod tidy -compat=1.17
after every update before raising the PRgomodTidyE
- if you'd like Renovate to rungo mod tidy -e
after every update before raising the PRgomodUpdateImportPaths
- if you'd like Renovate to update your source import paths on major updates before raising the PRgomodMassage
- to enable massaging of allreplace
statements prior to runninggo
so that they will be ignored
When Renovate is running using binarySource=docker
(such as in the Mend Renovate App) then it will pick the latest compatible version of Go to run, i.e. the latest 1.x
release.
Even if the go.mod
has a version like go 1.14
, Renovate will treat it as a ^1.14
constraint and not =1.14
.
Indirect updates are disabled by default. To enable them, add a package rule such as:
{
"packageRules": [
{
"matchManagers": ["gomod"],
"matchDepTypes": ["indirect"],
"enabled": true
}
]
}
Private Modules Authentication¶
Before running the go
commands to update the go.sum
, Renovate exports git
insteadOf
directives in environment variables.
The following logic is executed prior to "artifacts" updating:
The token from the hostRules
entry matching hostType=github
and matchHost=api.github.com
is added as the default authentication for github.com
.
For those running against github.com
, this token will be the default platform token.
Next, all hostRules
with both a token or username/password and matchHost
will be fetched, except for any github.com one from above.
Rules from this list are converted to environment variable directives if they match any of the following characteristics:
- No
hostType
is defined, or hostType
isgo
, orhostType
is a platform (github
,gitlab
,azure
, etc.)
Major upgrades of dependencies¶
Major upgrades in Go are different from most other ecosystems, because both the version and module name need to be changed. It is very common that such upgrades require changes to application code, which Renovate doesn't do.
By default, Renovate will make such change in the go.mod
files but nothing else - the rest is up to you.
If you add gomodUpdateImportPaths
to postUpdateOptions
then Renovate will also use a third-party tool to migrate import paths within application code, but there may still be actual application logic which needs to be changed too.
Ultimately: it is known and unavoidable that the majority of major Go upgrades won't be immediately mergeable.
You might prefer to configure such major updates with dependencyDashboardApproval=true
so that you can request them on demand, on supported platforms.
Open items¶
The below list of features and bugs were current when this page was generated on October 12, 2024.
Feature requests¶
- Support vendored major upgrades for Go #21010
- Indirect dependencies in dependent go modules need to be updated #12999
- lockfile maintenance for go.mod files #9578
- Set GOCACHE when updating go artifacts #6225
- Support Bazel go_repository "sum" field #4402