feat: Add Go vendor directory support

WHAT:
- Detect vendor/modules.txt to identify projects using vendoring
- Automatically run 'go mod vendor' after 'go mod tidy' when vendor exists
- This keeps vendor/ directory in sync with go.mod/go.sum after dependency updates

WHY:
- Renovate and Dependabot both support vendor directories
- When dependencies are updated, vendor/ needs to be regenerated
- Following industry best practices from Renovate's postUpdateOptions

HOW IT WORKS:
1. After running 'go get package@version'
2. Run 'go mod tidy' (already existed)
3. NEW: Check for vendor/modules.txt
4. NEW: If found, run 'go mod vendor' to update vendor/ directory

TESTING:
- Test repo: frogbot-test-multi-go (has vendor/ in both projects)
- Expected: After fix, vendor/ directory should be updated in PR

REFERENCES:
- Renovate: config.postUpdateOptions includes 'gomodTidy'
- Dependabot: Automatically detects and updates vendor directories
- Analysis: dependency-update-tools-analysis-mermaid.md

Author: eyalk007

packagehandlers/gopackagehandler.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"
 
 	"github.com/jfrog/frogbot/v2/utils"
@@ -66,6 +67,7 @@ func (gpu *GoPackageUpdater) updateDependency(vulnDetails *utils.VulnerabilityDe
 }
 
 func (gpu *GoPackageUpdater) tidyLockfiles(env []string) error {
+	// Run go mod tidy to clean up go.mod and go.sum
 	cmd := exec.Command("go", "mod", "tidy")
 	cmd.Env = env
 	log.Debug("Running 'go mod tidy'")
@@ -79,5 +81,44 @@ func (gpu *GoPackageUpdater) tidyLockfiles(env []string) error {
 	if err != nil {
 		return fmt.Errorf("go mod tidy failed: %s\n%s", err.Error(), output)
 	}
+
+	// If vendor directory exists, update it (like Renovate/Dependabot)
+	if gpu.hasVendorDirectory() {
+		if err := gpu.updateVendor(env); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// hasVendorDirectory checks if vendor/modules.txt exists
+// This is the standard way to detect if a Go project uses vendoring
+func (gpu *GoPackageUpdater) hasVendorDirectory() bool {
+	vendorModulesPath := filepath.Join("vendor", "modules.txt")
+	if _, err := os.Stat(vendorModulesPath); err == nil {
+		log.Debug(fmt.Sprintf("Detected vendor directory at: %s", vendorModulesPath))
+		return true
+	}
+	return false
+}
+
+// updateVendor runs 'go mod vendor' to update the vendor directory
+func (gpu *GoPackageUpdater) updateVendor(env []string) error {
+	vendorCmd := exec.Command("go", "mod", "vendor")
+	vendorCmd.Env = env
+	log.Debug("Running 'go mod vendor' to update vendored dependencies")
+
+	//#nosec G204 -- False positive - the subprocess only runs after the user's approval.
+	vendorOutput, err := vendorCmd.CombinedOutput()
+	if len(vendorOutput) > 0 {
+		log.Debug(fmt.Sprintf("go mod vendor output:\n%s", string(vendorOutput)))
+	}
+
+	if err != nil {
+		return fmt.Errorf("go mod vendor failed: %s\n%s", err.Error(), vendorOutput)
+	}
+
+	log.Debug("Successfully updated vendor directory")
 	return nil
 }