From 1dd8c6b6a97cbcdc759d8ab8b2c3f66549a602aa Mon Sep 17 00:00:00 2001 From: Michael Dwan Date: Tue, 28 Apr 2026 17:15:08 -0600 Subject: [PATCH 1/2] Replace Dependabot gomod with govulncheck and test-against-latest Dependabot's Go dependency PRs are high-noise, low-signal -- most bumps are transitive deps with CVEs we don't even call, and every PR fights the merge queue over go.sum conflicts. Replace with two scheduled workflows: - govulncheck: symbol-level vuln scanning (daily + on push/PR) - go-latest-deps: test suite against latest deps (daily, informational) Go deps get updated on our schedule now, not each dependency's. --- .github/dependabot.yml | 4 --- .github/workflows/go-latest-deps.yaml | 35 +++++++++++++++++++++++++++ .github/workflows/govulncheck.yaml | 32 ++++++++++++++++++++++++ 3 files changed, 67 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/go-latest-deps.yaml create mode 100644 .github/workflows/govulncheck.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6056ed25cb..86074d69c6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,9 +1,5 @@ version: 2 updates: - - package-ecosystem: "gomod" - directory: "/" - schedule: - interval: "weekly" - package-ecosystem: "pip" directory: "/" schedule: diff --git a/.github/workflows/go-latest-deps.yaml b/.github/workflows/go-latest-deps.yaml new file mode 100644 index 0000000000..905a541a82 --- /dev/null +++ b/.github/workflows/go-latest-deps.yaml @@ -0,0 +1,35 @@ +# Test Go code against the latest version of all dependencies. +# Catches upstream breakage early without forcing dependency churn on every PR. +# Runs daily — failures are informational, not gating. +# See https://words.filippo.io/dependabot for rationale. +name: Go latest deps + +on: + schedule: + # Daily at 10:22 UTC + - cron: "22 10 * * *" + workflow_dispatch: + +permissions: + contents: read + +jobs: + test-latest-deps: + name: Test with latest deps + runs-on: ubuntu-latest + timeout-minutes: 30 + env: + CGO_ENABLED: "1" + steps: + - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: actions/setup-go@v6 + with: + go-version: stable + - name: Update all dependencies to latest + run: go get -u -t ./... + - name: Tidy + run: go mod tidy + - name: Run tests + run: go test -short -timeout 1200s -parallel 5 ./... diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml new file mode 100644 index 0000000000..5c2faaea82 --- /dev/null +++ b/.github/workflows/govulncheck.yaml @@ -0,0 +1,32 @@ +# Symbol-level Go vulnerability scanning. +# Replaces Dependabot security alerts for Go — only fires when your code +# actually calls a vulnerable symbol, not just when a transitive dep has a CVE. +# See https://words.filippo.io/dependabot for rationale. +name: govulncheck + +on: + push: + branches: [main] + pull_request: + schedule: + # Daily at 10:22 UTC + - cron: "22 10 * * *" + workflow_dispatch: + +permissions: + contents: read + +jobs: + govulncheck: + name: govulncheck + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: actions/setup-go@v6 + with: + go-version-file: go.mod + - name: Run govulncheck + run: go run golang.org/x/vuln/cmd/govulncheck@latest ./... From 6147c18d9d20126a51ff24814c6f323097d34ade Mon Sep 17 00:00:00 2001 From: Michael Dwan Date: Wed, 29 Apr 2026 11:58:17 -0600 Subject: [PATCH 2/2] Make govulncheck schedule-only, don't gate PRs No upstream fix exists for the docker/docker vulns it found, so gating PRs just blocks the merge queue over something we can't act on. Daily scheduled run is the right cadence -- matches the article's intent. --- .github/workflows/govulncheck.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml index 5c2faaea82..b634408add 100644 --- a/.github/workflows/govulncheck.yaml +++ b/.github/workflows/govulncheck.yaml @@ -5,9 +5,6 @@ name: govulncheck on: - push: - branches: [main] - pull_request: schedule: # Daily at 10:22 UTC - cron: "22 10 * * *"