chore(ci): add go.mod/dependabot consistency check#19284
Merged
Conversation
Add a new check in the style workflow to ensure all go.mod files have corresponding dependabot configurations and no orphaned configurations exist. The check validates that: - All go.mod files in the repository have a gomod update entry in dependabot.yaml - No dependabot gomod configurations reference non-existent go.mod files Fixed current inconsistencies: - Removed orphaned configs: /tools/retest/, /scanner/tools/ - Added missing configs: /scanner/hack/quay, /tests/performance/scale, /tools/check-workflow-run Partially generated with AI assistance. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Skipping CI for Draft Pull Request. |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The nested loops used to detect missing and orphaned directories are O(n²); consider using
comm/joinon the sortedgomod_dirsanddependabot_dirsarrays to simplify the logic and make the script more efficient and easier to read. - It may be helpful to fail fast with a clear message if prerequisites like
.github/dependabot.yamloryqare missing, rather than relying on less obvious downstream errors.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The nested loops used to detect missing and orphaned directories are O(n²); consider using `comm`/`join` on the sorted `gomod_dirs` and `dependabot_dirs` arrays to simplify the logic and make the script more efficient and easier to read.
- It may be helpful to fail fast with a clear message if prerequisites like `.github/dependabot.yaml` or `yq` are missing, rather than relying on less obvious downstream errors.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
…ness Improvements: - Replace O(n²) nested loops with comm for O(n log n) performance - Add prerequisite checks for .github/dependabot.yaml and yq - Use temporary files and comm to simplify diff logic - Add proper cleanup with trap for temporary files The script now fails fast with clear messages if prerequisites are missing, and uses more efficient set operations for comparing directories. Partially generated with AI assistance. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
|
Images are ready for the commit at df2a372. To use with deploy scripts, first |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19284 +/- ##
==========================================
- Coverage 49.61% 49.61% -0.01%
==========================================
Files 2680 2680
Lines 202195 202195
==========================================
- Hits 100327 100325 -2
- Misses 94390 94392 +2
Partials 7478 7478
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
Author
|
@sourcery-ai review |
porridge
added
the
auto-retest
Contributor
|
/retest |
janisz
approved these changes
Mar 5, 2026
Contributor
ksurabhi91
pushed a commit
that referenced
this pull request
Mar 12, 2026
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Problem: go.mod files can be added or removed without updating dependabot.yaml, leading to missing dependency updates or stale configuration entries.
Example:
This PR adds a new check in the style workflow to ensure all go.mod files have corresponding dependabot configurations and that there are no orphaned configurations.
As it turns out, there were more cases which need fixing:
User-facing documentation
Testing and quality
Automated testing
The check script itself validates the consistency. No additional automated tests needed as the script runs in CI.
How I validated my change
🤖 Generated with AI assistance