Skip to content

ci(renovate): block major indirect Go dep bumps#978

Merged
cpcloud merged 3 commits intomicasa-dev:mainfrom
cpcloud:ci/block-major-indirect-bumps
Apr 23, 2026
Merged

ci(renovate): block major indirect Go dep bumps#978
cpcloud merged 3 commits intomicasa-dev:mainfrom
cpcloud:ci/block-major-indirect-bumps

Conversation

@cpcloud
Copy link
Copy Markdown
Collaborator

@cpcloud cpcloud commented Apr 23, 2026
edited
Loading

Follow-up to #976. PR #977 showed that batching indirects (done in #976) does not by itself prevent a class of doomed PRs: github.com/openai/openai-go v1 -> v3 and modernc.org/libc v1 -> v2 were both proposed, and both new majors are different Go module paths that nothing in this repo imports. go mod why github.com/openai/openai-go/v3 returns (main module does not need package ...). go mod tidy strips the added lines on every run, so the PR can never reconcile with main. Disabling matchUpdateTypes: ["major"] for indirect deps under gomod stops Renovate from opening them.

With this rule in place, every remaining indirect PR that reaches the vendor-hash workflow bumps a module in place: go.sum changes and vendor content changes together, vendorHash moves with go.sum, nix/package.nix is always staged with a real diff, and vendor-hash-check passes on its own. The go-mod-tidy hook already passes because the upstream Tidy go modules step tidied. No workflow-side skips are needed. If either hook fires from inside this workflow after this merges, that is a real invariant break worth investigating -- not something to silence.

Changes

  • renovate.json -- new rule disabling matchUpdateTypes: ["major"] on indirect gomod deps.

Reproduction

  1. Open any Renovate PR that would bump an indirect Go dep across a major version boundary.
  2. Before: the PR gets created, the vendor-hash workflow tries to tidy and falls over on a pre-commit hook whose invariant is legitimately broken by the revert, and the PR can never merge.
  3. After: Renovate never opens that PR.

Follow-up

Close #977 -- its branch carries the stuck state and Renovate will skip that update-type under the new rule.

@cpcloud
ci(vendor-hash): block major indirect bumps and skip false-positive h…
62b8395 
…ooks

PR micasa-dev#977 (the first batched go-indirect run under the new config)
surfaced two remaining gaps:

1. Renovate kept attempting major-version bumps on indirect deps
   (openai-go v1 -> v3, modernc.org/libc v1 -> v2). A new major is a
   different Go module path, and nothing in the repo imports the new
   path, so `go mod tidy` strips the added lines on every workflow
   run. The PR is a guaranteed no-op that never reconciles with main.
   Disable major update-types for the indirect rule so Renovate
   stops opening them.

2. When `go mod tidy` does reshape go.sum without altering vendor
   contents (exactly the scenario above), the Commit and push step
   trips two pre-commit hooks that fire as false positives here:
   vendor-hash-check ("go.sum changed but nix/package.nix did not")
   and go-mod-tidy ("tidy would modify files" -- it already did, we
   are about to stage the result). Scope SKIP to these two hook IDs
   on that one step; all other hooks still run.
@cpcloud cpcloud added ci CI/CD pipeline changes chore Maintenance and housekeeping dependencies labels Apr 23, 2026
cpcloud added 2 commits April 23, 2026 08:24
@cpcloud
ci(vendor-hash): drop go-mod-tidy from SKIP
d414d2f 
The Tidy go modules step upstream already runs `go mod tidy`, so by
the time the Commit and push step runs the tree is tidy and the
go-mod-tidy hook is a pass-through no-op. Leaving it in SKIP was
defending against a scenario that cannot occur on this path.
vendor-hash-check is still skipped for the reason documented on the
env comment.
@cpcloud
ci(vendor-hash): drop vendor-hash-check from SKIP
91ff337 
Once indirect majors are blocked at the Renovate layer, every
remaining Renovate PR that reaches this workflow bumps a module in
place. go.sum changes and vendor content changes together, so the
computed vendorHash moves with go.sum and nix/package.nix is always
staged with a real diff. vendor-hash-check then has both files
staged and exits 0 on its own.

Suppressing it was papering over the symptom of the scenario that
rule was added to eliminate. If the hook ever fires again from
inside this workflow, that is a real invariant break worth
investigating, not something to silence.
@cpcloud cpcloud enabled auto-merge (squash) April 23, 2026 12:26
@cpcloud cpcloud changed the title ci(vendor-hash): block major indirect bumps and skip false-positive hooks ci(renovate): block major indirect Go dep bumps Apr 23, 2026
@cpcloud cpcloud mentioned this pull request Apr 23, 2026
Closed
1 task
@cpcloud cpcloud merged commit 518e00b into micasa-dev:main Apr 23, 2026
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

chore Maintenance and housekeeping ci CI/CD pipeline changes dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cpcloud