chore(ci): dependabot fixes (#11164)

* chore: exclude ancient +incompatible versions from go.mod prevents Dependabot from failing when it tries to update go-ipfs-cmds and go-libp2p directly and resolves to pre-Go-modules v2.x/v6.x versions that reference deleted packages * chore(deps): group opentelemetry, prometheus, and uber packages reduces PR noise by batching related observability dependencies * ci: add workflow to run make mod_tidy on Dependabot PRs ensures all go.mod/go.sum files stay in sync when Dependabot updates dependencies in the root module supports manual dispatch with PR number for existing PRs
2026-02-21 10:27:46 +08:00 · 2026-01-23 06:17:32 +01:00 · 2026-01-23 06:17:32 +01:00 · 6d253a6b80
commit 6d253a6b80
parent 1128d81042
3 changed files with 80 additions and 0 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,3 +1,4 @@
+# Dependabot PRs are auto-tidied by .github/workflows/dependabot-tidy.yml
 version: 2
 updates:
  - package-ecosystem: "github-actions"
@ -26,3 +27,14 @@ updates:
      golang-x:
        patterns:
          - "golang.org/x/*"
+      opentelemetry:
+        patterns:
+          - "go.opentelemetry.io/*"
+      prometheus:
+        patterns:
+          - "github.com/prometheus/*"
+          - "contrib.go.opencensus.io/*"
+          - "go.opencensus.io"
+      uber:
+        patterns:
+          - "go.uber.org/*"
--- a/.github/workflows/dependabot-tidy.yml
+++ b/.github/workflows/dependabot-tidy.yml
@ -0,0 +1,61 @@
+# Dependabot only updates go.mod/go.sum in the root module, but this repo has
+# multiple Go modules (see docs/examples/). This workflow runs `make mod_tidy`
+# on Dependabot PRs to keep all go.sum files in sync, preventing go-check CI
+# failures.
+name: Dependabot Tidy
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'PR number to run mod_tidy on'
+        required: true
+        type: number
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  tidy:
+    if: github.actor == 'dependabot[bot]' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get PR info
+        id: pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            pr_number="${{ inputs.pr_number }}"
+          else
+            pr_number="${{ github.event.pull_request.number }}"
+          fi
+          echo "number=$pr_number" >> $GITHUB_OUTPUT
+          branch=$(gh pr view "$pr_number" --repo "${{ github.repository }}" --json headRefName -q '.headRefName')
+          echo "branch=$branch" >> $GITHUB_OUTPUT
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.pr.outputs.branch }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Run make mod_tidy
+        run: make mod_tidy
+      - name: Check for changes
+        id: git-check
+        run: |
+          if [[ -n $(git status --porcelain) ]]; then
+            echo "modified=true" >> $GITHUB_OUTPUT
+          fi
+      - name: Commit changes
+        if: steps.git-check.outputs.modified == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add -A
+          git commit -m "chore: run make mod_tidy"
+          git push
--- a/go.mod
+++ b/go.mod
@ -271,3 +271,10 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.4.1 // indirect
 )
+
+// Exclude ancient +incompatible versions that confuse Dependabot.
+// These pre-Go-modules versions reference packages that no longer exist.
+exclude (
+	github.com/ipfs/go-ipfs-cmds v2.0.1+incompatible
+	github.com/libp2p/go-libp2p v6.0.23+incompatible
+)