Replace Dependabot gomod with govulncheck and test-against-latest#2976
Replace Dependabot gomod with govulncheck and test-against-latest#2976michaeldwan wants to merge 2 commits intomainfrom
Conversation
|
I'm Bonk, and I've done a quick review of your PR. Summary: Replaces Dependabot Go updates with symbol-level vulnerability scanning (govulncheck) and daily tests against latest dependencies. Issue: In This matches the pattern in |
|
LGTM |
Dependabot's Go dependency PRs are high-noise, low-signal -- most bumps are transitive deps with CVEs we don't even call, and every PR fights the merge queue over go.sum conflicts. Replace with two scheduled workflows: - govulncheck: symbol-level vuln scanning (daily + on push/PR) - go-latest-deps: test suite against latest deps (daily, informational) Go deps get updated on our schedule now, not each dependency's.
No upstream fix exists for the docker/docker vulns it found, so gating PRs just blocks the merge queue over something we can't act on. Daily scheduled run is the right cadence -- matches the article's intent.
michaeldwan
force-pushed
the
md/govulncheck
branch
from
c6d0242 to
6147c18
Compare
|
I'm Bonk, and I've done a quick review of your PR. Summary: Replaces Dependabot Go updates with symbol-level vulnerability scanning (govulncheck) and daily tests against latest dependencies. Issue: In This matches the pattern in |
1 participant
Dependabot's Go dependency PRs are high-noise, low-signal. Most bumps are transitive deps with CVEs we don't even call, and every PR fights the merge queue over go.sum conflicts. See https://words.filippo.io/dependabot for the argument.
Two new scheduled workflows replace it:
go get -u -t ./.... Catches upstream breakage early without forcing us to merge anything. Failures don't gate PRs.Go deps get updated on our schedule now, not each dependency's. The pip, cargo, and github-actions Dependabot entries are untouched.