fix(manager/gomod): perfer to use go version defined as toolchain to update artifacts #34564
Conversation
trim21
changed the title
trim21
changed the title
trim21
changed the title
|
So I think in that case we do not parse GoConstraints but use updated toolchain version from |
|
Yes first check would be if Go is being updated in updatedDeps. There could also be some weird things like go mod directive updated but go toolchsin not. |
|
Is it possible to update go.mod first then get constraints? this should avoid this problem naturally |
|
By default renovate doesn't bump the go.mod directive. This was the recommendation/request of the golang team. So 99% of the time it's probably only the tool chain getting bumped, or none. I agree with you that we shouldn't "accidentally" bump the tool chain by running a latest go |
|
I think we simply need to use new file content to extract this information instead of reading old file from disk here. |
Yes, this is what I suggest |
I don't mean go directive, I mean we update go.mod first then parse toolchain directive from go.mod ( like this PR already did). In that case if we need to update I don't know if it's possible. |
|
it should be something like this? const goConstraints =
config.constraints?.go ?? getGoConstraints(massagedGoMod); |
|
Yes. Any updates to go.mod would have been written out already |
… into fix/go/prefer-toolchain-version
Co-authored-by: Rhys Arkins <[email protected]>
I don't know, that's what I'm asking since #34564 (comment) If you also don't know it for sure, I'd suggest we go back again using |
|
Interested in this feature. |
In my understanding after this change only updateType=toolchain will change toolchain directive, package only change will not change it anymore |
|
There is acually a corner case, when a go.mod has |
|
After this PR, based on go.mod novatebot will behave like this: For go.mod: go 1.22
toolchain go1.23.5renovate now pick go1.23.5, and go won't change toolchain directive. For go.mod: go 1.23.5renovate now pick go1.23.5, and go won't add toolchain directive. This PR currently fix these 2 cases. And a remaining case is this: For go.mod, without toolchain directive go 1.23renovate now pick latest version of go 1 (go1.24.1 at the time of writing), and go will add toolchain directive And to make go to not add toolchain directive, we will need to run go get with |
|
I see, seemingly there is a typo in your observations. Lets clarify: For go.mod: go 1.23.5renovate now pick That will satisfy my ask to pin the toolchain at a specific version. In this case its implicitly specified by the go directive. @trim21 I had observed that if renovate makes upgrades because of known CVEs in dependencies, it would ignore the go directive at all, and even upgrade. e.g. go1.22.0 to go1.22.13 and toolchain to go1.24.1 with this config: Might be unrelated to this PR, just giving a heads-up. |
thanks, it's indeed a typo |
I don't know how go pick toolchain in this case... |
| datasource.getPkgReleases.mockResolvedValueOnce({ | ||
| releases: [ | ||
| { version: '1.17.0' }, | ||
| { version: '1.23.6' }, | ||
| { version: '1.24.0' }, | ||
| ], | ||
| }); |
There was a problem hiding this comment.
drop it and add a should not be called expect after update artifacts
| datasource.getPkgReleases.mockResolvedValueOnce({ | |
| releases: [ | |
| { version: '1.17.0' }, | |
| { version: '1.23.6' }, | |
| { version: '1.24.0' }, | |
| ], | |
| }); |
| datasource.getPkgReleases.mockResolvedValueOnce({ | ||
| releases: [ | ||
| { version: '1.17.0' }, | ||
| { version: '1.23.5' }, | ||
| { version: '1.23.6' }, | ||
| { version: '1.24.0' }, | ||
| ], | ||
| }); |
Changes
prefer use version from toolchain directive instead of go diective in go.mod, this will avoid change current toolchain directive.
Context
As explained in #34563, when running
go get ./..., go will update toolchain directive in go.mod, which is adepType=toolchainchange instead of expecteddepType=requirechange.And there are 2 ways to avoid change of toolchain directive.
I don't think old version of go support
go get ./... toolchain@${current toolchain}(just like we still didn't remove-dflag here), so it would be more backward compatible to just use version of current toolchain to avoid this.If go.mod doesn't have such directive, we still use version frmo go directive.
Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via: