Consider not validating all modules for go updates

[jeffwidman]

Migrated from our internal issue tracker since the affected code resides here in dependabot-core:

@mctofu:

In a go module update we make an extra call o go get -d:

dependabot-core/go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb

Lines 99 to 102 in b5833e4

	# Run `go get`'s internal validation checks against _each_ module in `go.mod`
	# by running `go get` w/o specifying any library. It finds problems like when a
	# module declares itself using a different name than specified in our `go.mod` etc.
	run_go_get

This is intended to fix up bad go.mod files but shouldn't have any affect on a healthy go.mod. In addition, Dependabot is not expected to put the go.mod into a bad state during an update.

The downside of making this extra call is that it results in extra time and network activity during the update job. For projects with large numbers of dependencies this can lead to slow updates or timeouts.

TODO: Find examples of why go get -d was originally added to validate there's no harm in removing this.

@jurre:

I think it was introduced when we added support for go mod tidy, or this commit: 6a48ffc, I hope that one of those tests covers this behavior (or possibly one of the others added in that PR), but it's been a while and I'm a little fuzzy on all the details.

@jeffwidman:

If we went this route, it may have an impact on the solution required for:

• PR's are getting opened that revert a bunch of deps #4536

[github-actions]

👋 This issue has been marked as stale because it has been open for 2 years with no activity. You can comment on the issue to hold stalebot off for a while, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.