chore(ci): dependabot fixes (#11164)

* chore: exclude ancient +incompatible versions from go.mod

prevents Dependabot from failing when it tries to update
go-ipfs-cmds and go-libp2p directly and resolves to
pre-Go-modules v2.x/v6.x versions that reference deleted packages

* chore(deps): group opentelemetry, prometheus, and uber packages

reduces PR noise by batching related observability dependencies

* ci: add workflow to run make mod_tidy on Dependabot PRs

ensures all go.mod/go.sum files stay in sync when Dependabot
updates dependencies in the root module

supports manual dispatch with PR number for existing PRs
This commit is contained in:
Marcin Rataj 2026-01-23 06:17:32 +01:00 committed by GitHub
parent 1128d81042
commit 6d253a6b80
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 80 additions and 0 deletions

View File

@ -1,3 +1,4 @@
# Dependabot PRs are auto-tidied by .github/workflows/dependabot-tidy.yml
version: 2
updates:
- package-ecosystem: "github-actions"
@ -26,3 +27,14 @@ updates:
golang-x:
patterns:
- "golang.org/x/*"
opentelemetry:
patterns:
- "go.opentelemetry.io/*"
prometheus:
patterns:
- "github.com/prometheus/*"
- "contrib.go.opencensus.io/*"
- "go.opencensus.io"
uber:
patterns:
- "go.uber.org/*"

61
.github/workflows/dependabot-tidy.yml vendored Normal file
View File

@ -0,0 +1,61 @@
# Dependabot only updates go.mod/go.sum in the root module, but this repo has
# multiple Go modules (see docs/examples/). This workflow runs `make mod_tidy`
# on Dependabot PRs to keep all go.sum files in sync, preventing go-check CI
# failures.
name: Dependabot Tidy
on:
pull_request_target:
types: [opened, synchronize]
workflow_dispatch:
inputs:
pr_number:
description: 'PR number to run mod_tidy on'
required: true
type: number
permissions:
contents: write
pull-requests: write
jobs:
tidy:
if: github.actor == 'dependabot[bot]' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
steps:
- name: Get PR info
id: pr
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
pr_number="${{ inputs.pr_number }}"
else
pr_number="${{ github.event.pull_request.number }}"
fi
echo "number=$pr_number" >> $GITHUB_OUTPUT
branch=$(gh pr view "$pr_number" --repo "${{ github.repository }}" --json headRefName -q '.headRefName')
echo "branch=$branch" >> $GITHUB_OUTPUT
- uses: actions/checkout@v4
with:
ref: ${{ steps.pr.outputs.branch }}
token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Run make mod_tidy
run: make mod_tidy
- name: Check for changes
id: git-check
run: |
if [[ -n $(git status --porcelain) ]]; then
echo "modified=true" >> $GITHUB_OUTPUT
fi
- name: Commit changes
if: steps.git-check.outputs.modified == 'true'
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add -A
git commit -m "chore: run make mod_tidy"
git push

7
go.mod
View File

@ -271,3 +271,10 @@ require (
gopkg.in/yaml.v3 v3.0.1 // indirect
lukechampine.com/blake3 v1.4.1 // indirect
)
// Exclude ancient +incompatible versions that confuse Dependabot.
// These pre-Go-modules versions reference packages that no longer exist.
exclude (
github.com/ipfs/go-ipfs-cmds v2.0.1+incompatible
github.com/libp2p/go-libp2p v6.0.23+incompatible
)