Skip to content

chore: enable dependabot for upgrading Go tools #3759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 22, 2025
Merged

chore: enable dependabot for upgrading Go tools #3759

merged 1 commit into from
Jul 22, 2025

Conversation

alexandear
Copy link
Member

@alexandear alexandear commented Jul 21, 2025
edited
Loading

Currently, we should manually upgrade each tool version. This PR passes on this job to @dependabot.

@alexandear alexandear force-pushed the chore/dependabot-tools branch 5 times, most recently from e8cf398 to 782356a Compare July 21, 2025 10:56
@alexandear alexandear marked this pull request as draft July 21, 2025 11:02
@alexandear alexandear force-pushed the chore/dependabot-tools branch from 782356a to 65fbe7c Compare July 21, 2025 11:22
@alexandear alexandear changed the title chore: turn on @dependabot for tools chore: enable dependabot for upgrading tools Jul 21, 2025
@alexandear alexandear force-pushed the chore/dependabot-tools branch 5 times, most recently from 72c251f to 41d6e15 Compare July 21, 2025 11:51
@alexandear alexandear marked this pull request as ready for review July 21, 2025 11:55
@jandubois
Copy link
Member

Since you did a number of updates to the PR, can you put it into draft until it is ready for review? I can't tell if you intend to make more changes or not.

I'm undecided if I like having a separate go.mod for the tools. I guess it kind of makes sense, but somehow feels untidy. Are there more conflicts than the one for go-license?

AkihiroSuda
AkihiroSuda reviewed Jul 21, 2025
View reviewed changes
AkihiroSuda
AkihiroSuda reviewed Jul 21, 2025
View reviewed changes
@alexandear alexandear force-pushed the chore/dependabot-tools branch 2 times, most recently from c5d4e60 to a4d4167 Compare July 21, 2025 19:23
@alexandear
Copy link
Member Author

Since you did a number of updates to the PR, can you put it into draft until it is ready for review? I can't tell if you intend to make more changes or not.

Yes, of course. I already marked as "Draft".

image

I'm undecided if I like having a separate go.mod for the tools. I guess it kind of makes sense, but somehow feels untidy.

I read about this approach at https://golangci-lint.run/welcome/install/#install-from-sources:~:text=the%20best%20approach%20is%20to%20use%20a%20dedicated%20module%20or%20module%20file%20to%20isolate%20golangci%2Dlint%20from%20other%20tools%20or%20dependencies

Are there more conflicts than the one for go-license?

No, there aren't.

@alexandear alexandear force-pushed the chore/dependabot-tools branch 2 times, most recently from 204d14a to cdfc613 Compare July 21, 2025 19:29
AkihiroSuda
AkihiroSuda reviewed Jul 21, 2025
View reviewed changes
hack/tools/go.mod Outdated
github.com/charmbracelet/x/term v0.2.1 // indirect
github.com/chavacava/garif v0.1.0 // indirect
github.com/ckaznocha/intrange v0.3.1 // indirect
github.com/containerd/ltag v0.3.0 // indirect
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is a directly used tool marked as // indirect?
How does dependabot handle this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great question. I will investigate this.

go mod tidy adds this // indirect comment.

@alexandear alexandear marked this pull request as draft July 22, 2025 08:59
@alexandear alexandear force-pushed the chore/dependabot-tools branch 4 times, most recently from 4e4699a to efd1e1c Compare July 22, 2025 12:24
@alexandear
Copy link
Member Author

This article recommends introducing a separate go.mod/go.sum for each tool. But I think it's an overkill for us.

I added an old-school hack/tools/pinversion.go to mitigate // indirect require problem. In that way, Dependabot will upgrade version.

@alexandear alexandear force-pushed the chore/dependabot-tools branch from efd1e1c to c15b932 Compare July 22, 2025 12:30
@alexandear alexandear changed the title chore: enable dependabot for upgrading tools chore: enable dependabot for upgrading Go tools Jul 22, 2025
@alexandear alexandear force-pushed the chore/dependabot-tools branch from c15b932 to c8ebf8c Compare July 22, 2025 12:31
@alexandear alexandear force-pushed the chore/dependabot-tools branch from c8ebf8c to 3ac32b6 Compare July 22, 2025 12:44
@alexandear alexandear marked this pull request as ready for review July 22, 2025 12:53
@alexandear alexandear requested a review from AkihiroSuda July 22, 2025 12:53
AkihiroSuda
AkihiroSuda approved these changes Jul 22, 2025
View reviewed changes
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, let's see whether this works

@AkihiroSuda AkihiroSuda added this to the v2.0.0 milestone Jul 22, 2025
@jandubois jandubois merged commit 31fdaf3 into lima-vm:master Jul 22, 2025
62 of 63 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@alexandear @jandubois @AkihiroSuda