ci(vendor-hash): block major indirect bumps and skip false-positive hooks (#978)

cpcloud · web-flow · commit 518e00bd8166 · 2026-04-23T12:33:40.000Z
Follow-up to #976. PR #977 surfaced two gaps the first round didn't address: **1. Renovate keeps opening doomed major bumps for indirect Go deps.** #977 proposed `github.com/openai/openai-go` v1 -> v3 and `modernc.org/libc` v1 -> v2. Both new majors are different module paths, nothing in this repo imports them, and `go mod why github.com/openai/openai-go/v3` returns `(main module does not need package ...)`. `go mod tidy` strips them on every workflow run. The PR can never reconcile with main. Disable `matchUpdateTypes: ["major"]` for `indirect` deps under `gomod` so these PRs stop being opened. **2. The batched go-indirect workflow commit trips two pre-commit hooks as false positives.** When `go mod tidy` reshapes `go.sum` without altering vendor contents (exactly the state after tidy strips an unused major), `Commit and push` fails: - `vendor-hash-check` reports "go.sum changed but nix/package.nix is unchanged" -- but the workflow already ran the authoritative `nix build` hash computation in the previous step. - `go-mod-tidy` reports "tidy would modify files" -- the upstream `Tidy go modules` step already tidied. Scope a `SKIP: vendor-hash-check,go-mod-tidy` env to just the `Commit and push` step. This is a narrow per-hook skip via prek's `SKIP` variable, not a blanket bypass. All other hooks still run on that commit. ## Reproduction 1. Open any Renovate PR that bumps an indirect Go dep to a new major version (the new major is a different module path and nothing imports it). 2. Before this PR: the PR is unfixable, `go mod tidy` keeps reverting the bump, and the vendor-hash workflow cannot commit its tidy output because `vendor-hash-check` blocks. After this PR: Renovate never opens the PR in the first place, and if an equivalent tidy-only scenario arises from another path the workflow can still commit. ## Follow-up Close #977 -- its branch carries the stuck state and Renovate will skip that update-type under the new rule.
diff --git a/renovate.json b/renovate.json
@@ -27,6 +27,13 @@
       "separateMultipleMajor": false,
       "separateMinorPatch": false
     },
+    {
+      "description": "Never bump indirect Go deps across majors. A new major is a different module path; nothing in this repo imports it, so go mod tidy just strips the new lines again.",
+      "matchManagers": ["gomod"],
+      "matchDepTypes": ["indirect"],
+      "matchUpdateTypes": ["major"],
+      "enabled": false
+    },
     {
       "description": "Group GitHub Actions updates",
       "matchManagers": ["github-actions"],
