ci(vendor-hash): block major indirect bumps and skip false-positive hooks

cpcloud · cpcloud · commit 62b83956bbd4 · 2026-04-23T08:21:32.000-04:00
PR #977 (the first batched go-indirect run under the new config) surfaced two remaining gaps: 1. Renovate kept attempting major-version bumps on indirect deps (openai-go v1 -> v3, modernc.org/libc v1 -> v2). A new major is a different Go module path, and nothing in the repo imports the new path, so `go mod tidy` strips the added lines on every workflow run. The PR is a guaranteed no-op that never reconciles with main. Disable major update-types for the indirect rule so Renovate stops opening them. 2. When `go mod tidy` does reshape go.sum without altering vendor contents (exactly the scenario above), the Commit and push step trips two pre-commit hooks that fire as false positives here: vendor-hash-check ("go.sum changed but nix/package.nix did not") and go-mod-tidy ("tidy would modify files" -- it already did, we are about to stage the result). Scope SKIP to these two hook IDs on that one step; all other hooks still run.
diff --git a/.github/workflows/update-vendor-hash.yml b/.github/workflows/update-vendor-hash.yml
@@ -128,6 +128,15 @@ jobs:
         run: nix build '.#micasa' --no-link -L
 
       - name: Commit and push
+        env:
+          # Skip hooks this workflow would always trip as false positives:
+          # - vendor-hash-check fires when go.sum is staged but nix/package.nix
+          #   is not, which is exactly the state when `go mod tidy` reshapes
+          #   go.sum without altering vendor contents (this step already ran
+          #   the authoritative hash computation above).
+          # - go-mod-tidy reruns tidy and complains if it would change files;
+          #   the Tidy go modules step upstream already tidied.
+          SKIP: vendor-hash-check,go-mod-tidy
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
diff --git a/renovate.json b/renovate.json
@@ -27,6 +27,13 @@
       "separateMultipleMajor": false,
       "separateMinorPatch": false
     },
+    {
+      "description": "Never bump indirect Go deps across majors. A new major is a different module path; nothing in this repo imports it, so go mod tidy just strips the new lines again.",
+      "matchManagers": ["gomod"],
+      "matchDepTypes": ["indirect"],
+      "matchUpdateTypes": ["major"],
+      "enabled": false
+    },
     {
       "description": "Group GitHub Actions updates",
       "matchManagers": ["github-actions"],
