feat: add go tidy compat support to omnibump (#95)

* feat: Wire up support for tidy-compat

Add and wire up the `--tidy-compat` flag.

* chore(tests): Add Unit + Integration tests, plus supporting changes

The biggest change here is to use an interface to call
`exec.CommandContext` in `runner.go`, so that the call can be mocked by
the new unit test.

Also adds an integration test, w/ test go project, to verify Go is doing
what we expect it to.

Author: AdamIsrael

cmd/omnibump/root.go

@@ -40,6 +40,7 @@ type rootFlags struct {
 	rootDir        string
 	manifestFile   string
 	tidy           bool
+	tidyCompat     string
 	showDiff       bool
 	dryRun         bool
 	logLevel       string
@@ -87,6 +88,7 @@ func New() *cobra.Command {
 	f.StringVar(&flags.replaces, "replaces", "", "inline replace list (space-separated, format: oldpkg=newpkg@version)")
 	f.StringVar(&flags.properties, "props", "", "inline properties list (space-separated)")
 	f.StringVar(&flags.rootDir, "dir", ".", "project root directory")
+	f.StringVar(&flags.tidyCompat, "tidy-compat", "", "set the go version for which the tidied go.mod and go.sum files should be compatible")
 	f.BoolVar(&flags.tidy, "tidy", false, "run tidy command after update")
 	f.BoolVar(&flags.showDiff, "show-diff", false, "show diff of changes")
 	f.BoolVar(&flags.dryRun, "dry-run", false, "simulate update without making changes")
@@ -383,6 +385,9 @@ func buildUpdateConfig(cfg *config.Config) *languages.UpdateConfig {
 	updateCfg.ShowDiff = flags.showDiff
 	updateCfg.DryRun = flags.dryRun
 	updateCfg.ManifestFile = flags.manifestFile
+	if flags.tidyCompat != "" {
+		updateCfg.Options["tidy-compat"] = flags.tidyCompat
+	}
 
 	// The CLI's --manager flag always wins over a value in the deps file
 	// (which ToUpdateConfig already stamped into Options).

pkg/languages/golang/runner.go

@@ -32,6 +32,23 @@ var ErrInvalidVersionQueryChar = errors.New("invalid character in version query"
 // ErrUnexpectedGoVersionOutput is returned when go version output has unexpected format.
 var ErrUnexpectedGoVersionOutput = errors.New("unexpected go version output")
 
+// commander is the minimal surface of *exec.Cmd that this package uses.
+// It exists so tests can swap out commandContext below with a fake.
+type commander interface {
+	CombinedOutput() ([]byte, error)
+}
+
+// commandContext builds a commander for the given dir/name/args. Overridable in tests.
+// An empty dir leaves cmd.Dir unset (inheriting the parent process working directory),
+// matching the behavior of callers that don't pin a working directory.
+var commandContext = func(ctx context.Context, dir, name string, args ...string) commander {
+	cmd := exec.CommandContext(ctx, name, args...) //nolint:gosec
+	if dir != "" {
+		cmd.Dir = dir
+	}
+	return cmd
+}
+
 // validateModulePath validates a Go module path to prevent injection attacks.
 // Uses module.CheckPath() from golang.org/x/mod/module to ensure the path is valid.
 func validateModulePath(path string) error {
@@ -72,10 +89,7 @@ func GoModTidy(ctx context.Context, modroot, _ string, compat string) (string, e
 	if compat != "" {
 		args = append(args, "-compat", compat)
 	}
-
-	cmd := exec.CommandContext(ctx, "go", args...)
-	cmd.Dir = modroot
-	if bytes, err := cmd.CombinedOutput(); err != nil {
+	if bytes, err := commandContext(ctx, modroot, "go", args...).CombinedOutput(); err != nil {
 		return strings.TrimSpace(string(bytes)), err
 	}
 	return "", nil
@@ -127,8 +141,7 @@ func UpdateGoWorkVersion(ctx context.Context, modroot string, forceWork bool, go
 
 	// Get Go version from environment if not provided
 	if goVersion == "" {
-		cmd := exec.CommandContext(ctx, "go", "version")
-		output, err := cmd.CombinedOutput()
+		output, err := commandContext(ctx, "", "go", "version").CombinedOutput()
 		if err != nil {
 			return fmt.Errorf("failed to get Go version: %w, output: %s", err, strings.TrimSpace(string(output)))
 		}
@@ -174,9 +187,7 @@ func UpdateGoWorkVersion(ctx context.Context, modroot string, forceWork bool, go
 
 	dir := filepath.Dir(workPath)
 	// Safe: goVersion is either auto-detected from runtime.Version() or user-provided version string (e.g., "1.21")
-	cmd := exec.CommandContext(ctx, "go", "work", "edit", "-go", goVersion) //nolint:gosec // G204: goVersion is a version string, not user-controlled path
-	cmd.Dir = dir
-	if bytes, err := cmd.CombinedOutput(); err != nil {
+	if bytes, err := commandContext(ctx, dir, "go", "work", "edit", "-go", goVersion).CombinedOutput(); err != nil {
 		return fmt.Errorf("failed to update go.work version: %w, output: %s", err, strings.TrimSpace(string(bytes)))
 	}
 
@@ -187,15 +198,11 @@ func UpdateGoWorkVersion(ctx context.Context, modroot string, forceWork bool, go
 func GoVendor(ctx context.Context, dir string, forceWork bool) (string, error) {
 	workPath := findGoWork(dir)
 	if forceWork || workPath != "" {
-		cmd := exec.CommandContext(ctx, "go", "work", "vendor")
-		cmd.Dir = dir
-		if bytes, err := cmd.CombinedOutput(); err != nil {
+		if bytes, err := commandContext(ctx, dir, "go", "work", "vendor").CombinedOutput(); err != nil {
 			return strings.TrimSpace(string(bytes)), err
 		}
 	} else {
-		cmd := exec.CommandContext(ctx, "go", "mod", "vendor")
-		cmd.Dir = dir
-		if bytes, err := cmd.CombinedOutput(); err != nil {
+		if bytes, err := commandContext(ctx, dir, "go", "mod", "vendor").CombinedOutput(); err != nil {
 			return strings.TrimSpace(string(bytes)), err
 		}
 	}
@@ -213,9 +220,7 @@ func GoGetModule(ctx context.Context, name, version, modroot string) (string, er
 	if err := validateVersionQuery(version); err != nil {
 		return "", err
 	}
-	cmd := exec.CommandContext(ctx, "go", "get", fmt.Sprintf("%s@%s", name, version)) //nolint:gosec
-	cmd.Dir = modroot
-	if bytes, err := cmd.CombinedOutput(); err != nil {
+	if bytes, err := commandContext(ctx, modroot, "go", "get", fmt.Sprintf("%s@%s", name, version)).CombinedOutput(); err != nil {
 		return strings.TrimSpace(string(bytes)), err
 	}
 	return "", nil
@@ -235,15 +240,11 @@ func GoModEditReplaceModule(ctx context.Context, nameOld, nameNew, version, modr
 		return "", fmt.Errorf("invalid version: %w", err)
 	}
 
-	cmd := exec.CommandContext(ctx, "go", "mod", "edit", "-dropreplace", nameOld) //nolint:gosec
-	cmd.Dir = modroot
-	if bytes, err := cmd.CombinedOutput(); err != nil {
+	if bytes, err := commandContext(ctx, modroot, "go", "mod", "edit", "-dropreplace", nameOld).CombinedOutput(); err != nil {
 		return strings.TrimSpace(string(bytes)), fmt.Errorf("error running go command to drop replace modules: %w", err)
 	}
 
-	cmd = exec.CommandContext(ctx, "go", "mod", "edit", "-replace", fmt.Sprintf("%s=%s@%s", nameOld, nameNew, version)) //nolint:gosec
-	cmd.Dir = modroot
-	if bytes, err := cmd.CombinedOutput(); err != nil {
+	if bytes, err := commandContext(ctx, modroot, "go", "mod", "edit", "-replace", fmt.Sprintf("%s=%s@%s", nameOld, nameNew, version)).CombinedOutput(); err != nil {
 		return strings.TrimSpace(string(bytes)), fmt.Errorf("error running go command to replace modules: %w", err)
 	}
 	return "", nil
@@ -256,9 +257,7 @@ func GoModEditDropRequireModule(ctx context.Context, name, modroot string) (stri
 		return "", err
 	}
 	// Safe: module path validated above
-	cmd := exec.CommandContext(ctx, "go", "mod", "edit", "-droprequire", name) //nolint:gosec
-	cmd.Dir = modroot
-	if bytes, err := cmd.CombinedOutput(); err != nil {
+	if bytes, err := commandContext(ctx, modroot, "go", "mod", "edit", "-droprequire", name).CombinedOutput(); err != nil {
 		return strings.TrimSpace(string(bytes)), err
 	}
 

pkg/languages/golang/runner_test.go

@@ -14,8 +14,50 @@ import (
 	"runtime"
 	"strings"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
+// fakeCmd implements commander; it records the invocation it was built with
+// and returns the stubbed output/error when CombinedOutput is called.
+type fakeCmd struct {
+	dir, name string
+	args      []string
+	out       []byte
+	err       error
+}
+
+func (f *fakeCmd) CombinedOutput() ([]byte, error) { return f.out, f.err }
+
+// fakeRunner captures every command built via commandContext and produces a
+// fakeCmd. Stub responses per-command by populating responses keyed on the
+// joined "name arg1 arg2 ..." string.
+type fakeRunner struct {
+	calls     []fakeCmd
+	responses map[string]struct {
+		out []byte
+		err error
+	}
+}
+
+func (r *fakeRunner) factory(_ context.Context, dir, name string, args ...string) commander {
+	key := strings.Join(append([]string{name}, args...), " ")
+	resp := r.responses[key]
+	cmd := fakeCmd{dir: dir, name: name, args: args, out: resp.out, err: resp.err}
+	r.calls = append(r.calls, cmd)
+	return &cmd
+}
+
+// withFakeRunner swaps commandContext for the duration of a test.
+func withFakeRunner(t *testing.T) *fakeRunner {
+	t.Helper()
+	r := &fakeRunner{}
+	orig := commandContext
+	commandContext = r.factory
+	t.Cleanup(func() { commandContext = orig })
+	return r
+}
+
 func TestGoWork(t *testing.T) {
 	// Skip if go command is not available
 	if _, err := exec.LookPath("go"); err != nil {
@@ -323,6 +365,86 @@ github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 	})
 }
 
+func TestGoTidy_Integration(t *testing.T) {
+	// Skip if go command is not available
+	if _, err := exec.LookPath("go"); err != nil {
+		t.Skip("go command not found, skipping test")
+	}
+
+	ctx := context.Background()
+
+	t.Run("GoModTidy", func(t *testing.T) {
+		testCases := []struct {
+			name   string
+			compat string
+			error  bool
+		}{
+			{
+				name:   "mod tidy w/o compat",
+				compat: "",
+				error:  true,
+			},
+			{
+				name:   "mod tidy w/ compat",
+				compat: "1.17",
+				error:  false,
+			},
+		}
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				tmpDir := t.TempDir()
+				copyFile(t, "testdata/tidy-compat/go.mod", tmpDir)
+				copyFile(t, "testdata/tidy-compat/main.go", tmpDir)
+
+				_, err := GoModTidy(ctx, tmpDir, "", tc.compat)
+				// require.NoError(t, err)
+				assert.Equal(t, err != nil, tc.error)
+
+				// Check if go.sum is created (only on success)
+				cmd := exec.CommandContext(ctx, "ls", "-la", "go.sum")
+				cmd.Dir = tmpDir
+				output, err := cmd.Output()
+
+				if tc.error {
+					assert.Error(t, err)
+				} else {
+					assert.NoError(t, err)
+					assert.Contains(t, string(output), "go.sum")
+				}
+			})
+		}
+	})
+}
+
+func TestGoTidy_Unit(t *testing.T) {
+	tests := []struct {
+		name       string
+		tidyCompat string
+		expected   string
+	}{
+		{name: "valid tidy w/o compat", tidyCompat: "", expected: "go mod tidy"},
+		{name: "valid tidy w/ compat", tidyCompat: "1.20", expected: "go mod tidy -compat 1.20"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := withFakeRunner(t)
+			if _, err := GoModTidy(context.Background(), "/some/modroot", "", tt.tidyCompat); err != nil {
+				t.Fatalf("GoModTidy returned error: %v", err)
+			}
+			if len(r.calls) != 1 {
+				t.Fatalf("expected 1 command, got %d", len(r.calls))
+			}
+			got := r.calls[0]
+			command := got.name + " " + strings.Join(got.args, " ")
+
+			if tt.expected != command {
+				t.Errorf("command: got %q, want %q", tt.expected, command)
+			}
+		})
+	}
+}
+
 // TestValidateModulePath tests module path validation against injection attacks.
 func TestValidateModulePath(t *testing.T) {
 	tests := []struct {

pkg/languages/golang/testdata/tidy-compat/go.mod

@@ -0,0 +1,10 @@
+module test
+
+go 1.17
+
+require (
+	github.com/falcosecurity/client-go v0.5.0
+	github.com/prometheus/client_golang v1.12.2
+	github.com/spf13/pflag v1.0.5
+	google.golang.org/grpc v1.56.3
+)

pkg/languages/golang/testdata/tidy-compat/main.go

@@ -0,0 +1,15 @@
+/*
+Copyright 2026 Chainguard, Inc.
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package main
+
+import (
+	_ "github.com/falcosecurity/client-go/pkg/client"
+	_ "github.com/prometheus/client_golang/prometheus"
+	_ "github.com/spf13/pflag"
+	_ "google.golang.org/grpc"
+)
+
+func main() {}