Allow configuration of GOPRIVATE #4568
Conversation
It only parses the local go.mod and doesn't reach out over the network.
Possibility of this error occurring was removed in 18d48b4
|
How will we determine what value to pass in? I'm wondering if we could instead ask the dependency being updated if it's private somehow, by implementing a I'm not sure if there's a way to determine which dependency is private in the file parsing step though |
I was planning to determine this based on the repo being updated. If it's a public repo it shouldn't have any private dependencies so we don't need to set GOPRIVATE. It's a private repo we can set it with that knowledge plus any known settings for Dependabot private repo & private registry access. Checking per dependency would be more time consuming. The go tooling will need to resolve all of them during an update so we'd need to look them all up. I'm also not sure of a good way to tell if a particular dependency is public or private. For a github hosted dependency we might have to reach out to the API to tell if it's public or private. |
Not entirely sure if that's always true, unless it's something that's enforced by go modules that I don't know about? But I agree it is a good assumption to start with 👍 |
It's not enforced by go modules but in terms of Dependabot being able to successfully make updates to the repo it needs to be true. If a public repo did use private dependencies it would need to configure private registry support for Dependabot to work and we could adjust |
bin/dry-run.rb
Outdated
| if o.include?("=") | ||
| o.split("=", 2).map.with_index do |v, i| | ||
| if i == 0 | ||
| v.strip.downcase.to_sym |
There was a problem hiding this comment.
I'm able to reason about this given the context I'm currently working with (reviewing a PR with a description in front of me), but I wonder what the experience will be like for future me.
Is there a way we could provide more context inline (e.g. o.include?("goprivate="))? Or, if this is more generic and meant for parsing several arguments, could we extract this logic into a named method? I'd be hesitant to add yet more methods to this script, but I think the trade-off would be worth it. What do you think?
There was a problem hiding this comment.
Added some code comments to describe what each case is expected to handle. This is meant to be generic as each package manager can have its own set of supported options although goprivate is the first to allow setting both the key and value.
I'm holding off on introducing any new methods for now since they'd live pretty far away from this code. We could revisit this if there's an opportunity for reusing the code to handle other args.
| @@ -14,6 +14,7 @@ def initialize(dependencies:, dependency_files:, repo_contents_path: nil, | |||
| credentials:, options: {}) | |||
| super | |||
|
|
|||
| @goprivate = options.fetch(:goprivate, "*") | |||
There was a problem hiding this comment.
This PR's description states
Previously we've defaulted to setting GOPRIVATE=* to prevent failures if private go modules are validated against the public sumdb. That works but incurs a performance penalty when public go modules are updated.
As I understand this line, it seems that we're still defaulting to *. Is that what we want?
I can certainly see the case for continuing to do so. At the very least, we're not breaking functionality for users, which seems desirable now. Will we change this default in the future?
There was a problem hiding this comment.
Yes, I could have stated that better. Previously we hardcoded GOPRIVATE=* everywhere and now we are providing an option for dependabot-core integrators to use a different value. We'll (GitHub) start setting this to more performant values based on the repo being updated in the near future but in the meantime we still need to preserve the GOPRIVATE=* behavior.
|
When can this change be expected to land in the Github dependabot? |
|
It's been live for about a month now, is something not working for you? |
|
I'm probably misunderstanding something. I can't find it in the configuration options docs. Looking at this PR, I tried to decipher where to put it, and my version: 2
updates:
- package-ecosystem: gomod
goprivate: "*"
directory: "/"
schedule:
interval: daily
time: "08:00"But then dependabot say; |
|
👋 Hi @noseglid You shouldn't need to do anything to take advantage of this feature on your Go repos on GitHub 😄 As @jurre said, GitHub's Dependabot service (one of the aforementioned integrators) has been using this for a month now. Please do let us know if you see any issues related to this feature 🙇 |
Previously we've hardcoded setting
GOPRIVATE=*to prevent failures if private go modules are validated against the public sumdb. That works but incurs a performance penalty when public go modules are updated. This change allows a customGOPRIVATEto be specified. This could be leveraged in the future to:GOPRIVATE=when checking updates for a public repoGOPRIVATE=github.com/owner/*when checking updates for a private repoGOPRIVATEwhen private registries are definedThose changes would allow updates to perform more efficiently (less time and less disk usage).
In the first 2 commits I made some minor cleanup to the
FileParser. In the pastFileParserrango getand requiredGOPRIVATEand resolvability error handling. That was later removed so I was able to remove the remaining parts that were no longer required.I've added some tests for this as well but they aren't particularly effective as they just check that different variations of
GOPRIVATEdon't have any effect on the output. They might be useful in detecting behavior changes in future go updates but I'd also be OK to remove them if preferred. A better test would require a test case that used private credentials but that would only work in CI. For now I tested manually:`GOPRIVATE=` fails with private deps
`GOPRIVATE=github.com/dependabot-fixtures/*` succeeds with private deps
default `GOPRIVATE` succeeds with private deps