Skip to content

Add Dependabot Tidy workflow for managing Go module dependencies#2810

Merged
rawahars merged 3 commits into
mainfrom
fix-dependabot-tidy
Jul 8, 2026
Merged

Add Dependabot Tidy workflow for managing Go module dependencies#2810
rawahars merged 3 commits into
mainfrom
fix-dependabot-tidy

Conversation

@rawahars

@rawahars rawahars commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

This pull request introduces a new GitHub Actions workflow to automatically tidy and vendor Go modules for both the root and /test modules when Dependabot opens a pull request. This ensures that module dependencies remain consistent and up-to-date, especially since /test inherits dependencies from the root, which can otherwise become stale after root bumps.

Automation for dependency management:

  • Added .github/workflows/dependabot-tidy.yml to automatically run go mod tidy and go mod vendor on both the root and /test modules when Dependabot opens a PR, and pushes any resulting changes back to the PR branch.
  • Ensures that /test module dependencies and vendoring stay in sync with the root after dependency updates, preventing stale or inconsistent dependency files.

Signed-off-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@rawahars rawahars requested a review from a team as a code owner July 6, 2026 17:23
@rawahars rawahars requested a review from Copilot July 6, 2026 17:28

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a GitHub Actions workflow intended to keep Go module files consistent by automatically running module maintenance commands on Dependabot PRs and pushing any resulting go.mod/go.sum/vendor updates back to the PR branch.

Changes:

  • Added a new Dependabot Tidy workflow that runs on Dependabot-authored PRs.
  • Runs go mod tidy (root + /test) and go mod vendor (root) and auto-commits/pushes resulting changes back to the PR branch.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/dependabot-tidy.yml Outdated
Comment thread .github/workflows/dependabot-tidy.yml Outdated
Comment thread .github/workflows/dependabot-tidy.yml Outdated
exit 0
fi
git config user.name 'dependabot[bot]'
git config user.email '49699333+dependabot[bot]@users.noreply.github.com'

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it feels weird to impersonate dependabot (or take a dependency on its bot id/email remaining the same)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds good! I made the change to attribute the commit to github actions bot instead.

dependabot Bot and others added 2 commits July 8, 2026 23:49
…rkflow

Address review feedback: the header comment and step name implied the test module is vendored, but only the root module has a vendor/ directory. Reword the comment and rename the step to accurately reflect that both modules are tidied while only the root is vendored.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The commit is created by the workflow (a GitHub Action), so attribute it to the github-actions[bot] identity rather than hardcoding Dependabot's. This removes the coupling to Dependabot's account ID while keeping proper, real-account attribution; DCO still passes since author == sign-off.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@rawahars rawahars merged commit 5a6f425 into main Jul 8, 2026
31 checks passed
@rawahars rawahars deleted the fix-dependabot-tidy branch July 8, 2026 19:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants