go.mod: Support updating non-release git dependencies

[alex]

Empirically, dependabot only seems to send PRs to update dependencies that have tags in git. I've also got a bunch of dependencies that point at git repos, and I'd like PRs updating them as well! In other languages, git based dependencies appear to get updated.

[jurre]

Just to clarify, are you referring to updating libraries that aren't go-modules compatible yet?

[alex]

No, I'm refering to dependencies that are go-modules, but which don't have tags, so you're pinned to specific commits. https://github.com/araddon/dateparse is an example of such a dependency.

[jurre]

Ah I see, thanks for clarifying! Yeah it'd be good to support that, but I don't think that we'll be able to get to this soon tbh.

Note for future self: Might be enough to patch

dependabot-core/go_modules/helpers/updatechecker/main.go

Line 34 in ce711fc

func GetUpdatedVersion(args *Args) (interface{}, error) {

to find the right commit to point to? Might not make sense to do that in the native helper, and instead we can special-case it

dependabot-core/go_modules/lib/dependabot/go_modules/update_checker.rb

Line 58 in ce711fc

def find_latest_resolvable_version

and reuse https://github.com/dependabot/dependabot-core/blob/ce711fc43dd8c5ed3e978366780498ee5d1f1bc4/common/lib/dependabot/git_commit_checker.rb?

[FelisiaM]

Is there any update as to if/when this might be available?

I have a similar scenario and it would be really useful to have Dependabot create the PRs.

[jeffwidman]

Some more code notes:
The underlying code to find the latest version now uses go list:

dependabot-core/go_modules/lib/dependabot/go_modules/update_checker/latest_version_finder.rb

Line 93 in 69f0121

versions_json = SharedHelpers.run_shell_command("go list -m -versions -json #{dependency.name}", env: env)

Will need to see if that can be tweaked/augmented to support finding commits. We could probably use something like go install some_module@latest, but that might be too slow...

[pierrre]

#3017 (comment)
Is this supported now ?
Is there something to add in my config ?
I'm trying to update golang.org/x/exp automatically, but it's not working (this repo doesn't use tags)
Other Go modules are updated automatically if they have tags.

[ChrisHines]

We would like to track pseudo-versions for an internal project that doesn't tag our own code, just as mentioned here: #3017 (comment).

I've found that adding the -u flag to the go list command will provide the newest pseudo-version for modules that don't use tags, in the same way that go get module@latest would:

go list -m -u -versions -json #{dependency.name}

For the golang.org/x/exp module mentioned in the above comment it currently produces for me:

$ go list -m -u -versions -json golang.org/x/exp
{
        "Path": "golang.org/x/exp",
        "Version": "v0.0.0-20230522175609-2e198f4a06a1",
        "Time": "2023-05-22T17:56:09Z",
        "Update": {
                "Path": "golang.org/x/exp",
                "Version": "v0.0.0-20230817173708-d852ddb80c63",
                "Time": "2023-08-17T17:37:08Z"
        },
        "Indirect": true,
        "Dir": "/go/pkg/mod/golang.org/x/[email protected]",
        "GoMod": "/go/pkg/mod/cache/download/golang.org/x/exp/@v/v0.0.0-20230522175609-2e198f4a06a1.mod",
        "GoVersion": "1.20"
}

The command dependabot currently uses will only show the current version for a module like this.

$ go list -m -versions -json golang.org/x/exp
{
        "Path": "golang.org/x/exp",
        "Version": "v0.0.0-20230522175609-2e198f4a06a1",
        "Time": "2023-05-22T17:56:09Z",
        "Indirect": true,
        "Dir": "/go/pkg/mod/golang.org/x/[email protected]",
        "GoMod": "/go/pkg/mod/cache/download/golang.org/x/exp/@v/v0.0.0-20230522175609-2e198f4a06a1.mod",
        "GoVersion": "1.20"
}

For modules that do use tags adding the -u flag command includes all the same information as before, but adds the Update field to the results.

$ go list -m -u -versions -json github.com/json-iterator/go
{
        "Path": "github.com/json-iterator/go",
        "Version": "v1.1.8",
        "Versions": [
                "v1.1.5",
                "v1.1.6",
                "v1.1.7",
                "v1.1.8",
                "v1.1.9",
                "v1.1.10",
                "v1.1.11",
                "v1.1.12"
        ],
        "Time": "2019-10-12T13:07:04Z",
        "Update": {
                "Path": "github.com/json-iterator/go",
                "Version": "v1.1.12",
                "Time": "2021-09-11T02:17:26Z"
        },
        "Indirect": true
}

I don't know the internals of dependabot and I don't know Ruby well enough to make a code contribution here, but I am hopeful that the above information could guide one of the maintainers toward satisfying this feature request. @jeffwidman Are you still involved enough to help out here?

[kostyay]

Are there any updates on this issue?
Without supporting pseudo versions dependabot is useless to us.

[arununzer]

Are there any updates on this as dependabot is unable to update the action-runner version to : v2.318.0-ubuntu-22.04 from v2.317.0-ubuntu-22.04