go_modules: Add go.work workspace support (#14909)

* Add go.work workspace support to Go modules updater

Dependabot can now detect and process go.work files, enabling
dependency updates across multi-module Go workspaces.

- FileFetcher: detect go.work, fetch all workspace module go.mod/go.sum
- FileParser: parse dependencies from all workspace modules; DependencySet
  handles deduplication across modules automatically
- FileUpdater: dispatch to workspace vs. single-module update paths
- GoModUpdater: run `go get dep@version` in each module directory so
  every go.mod that requires the dep gets updated; follow with
  `go work sync` then per-module `go mod tidy -e`
- GoWorkParser: shared utility for parsing `use` directives from go.work
  content, including inline comment stripping and `use .` (root module)
- PackageDetailsFetcher: fall back to any sub-module go.mod when no root
  go.mod exists
- ecosystem_versions: read Go version from go.work or first workspace
  module when no root go.mod is present

Fixes #6012

* Add specs and fixtures for go.work workspace support

- GoWorkParser: unit tests for block/single-line use directives, inline
  comments, deduplication, bare `use .`, empty content, toolchain and
  godebug directives
- FileFetcher: workspace with root module, workspace with no root go.mod,
  root-only workspace (use .)
- FileParser: workspace dependency parsing and cross-module deduplication
- FileUpdater: workspace update dispatch, all-module go get, go work sync
  failure propagation, no-root-mod workspace
- Fixtures: workspace/ (root + libs + services), workspace_no_root_mod/
  (api + worker), workspace_root_only/ (use . only)

* Fix Sorbet, lint, and ecosystem_versions regressions caught by CI

- Restore T.nilable in T.let memoization for @all_go_mods and
  @updated_workspace_module_files — required Sorbet idiom for ||=
  memoized ivars not declared in initialize
- Revert go_version_from_file regex to \d+\.\d+ (major.minor only)
  to match original ecosystem_versions behaviour and fix e2e tests
- Wrap two over-length lines in file_parser_spec.rb
- Use %w() literals and explicit subject in go_work_parser_spec.rb
- Add file_updater_spec.rb to RSpec/AnyInstance todo exclusion list
  (same treatment as bundler, bun, and other ecosystems)

* Remove go.env and .ruby-version (local development artifacts)

* Address Copilot review feedback

- Reject absolute paths and traversals in GoModUpdater#workspace_module_paths
  as a defence-in-depth guard (paths already validated by FileFetcher, but
  worth being explicit in the updater too)
- Pass mod_file.path to handle_parser_error when parsing workspace modules
  so DependencyFileNotParseable points at the failing go.mod, not go.work
- Fetch go.work.sum when present; return updated version after go work sync

* chore: bump go_work_parser.rb to typed: strong

Sorbet typing mode check (spoom) detected all methods have complete
signatures, qualifying for the stricter strong level.

* fix: select go.mod by requirement file in PackageDetailsFetcher

In workspace repos there is no root go.mod, so the fallback to the first
nested go.mod could apply exclude directives from an unrelated module.
For direct dependencies, use the requirement file path to find the
correct go.mod. Indirect deps (empty requirements) retain the existing
fallback behaviour.

* fix: align fetch/parse scope with go.work use directives

Previously, the fetcher unconditionally appended the root go.mod/go.sum
whenever they existed, even in workspace repos where go.work does not
include ".". The parser then ingested those out-of-scope modules via
all_go_mods, surfacing dependencies that the updater would never touch.

Fix the fetcher so workspace mode is fully handled by workspace_module_files
(which now fetches "go.mod"/"go.sum" directly for the root "." path when
present in the use list) and removes the unconditional root fallback.

Fix the parser so all_go_mods derives its list from GoWorkParser.use_paths
in workspace mode, keeping parse scope in lockstep with update scope.

Addresses maintainer feedback from @thavaahariharangit.

* fix: harden workspace_module_paths against missing dirs and false-positive path rejection

- Replace substring `include?("..")` check with Pathname.cleanpath-based
  traversal guard, matching FileFetcher#valid_module_path? and avoiding
  false rejections on dirs whose names contain ".." (e.g. "tools..v2")
- Filter use-paths against fetched go.mod dependency_files so Dir.chdir
  never runs against a module directory that wasn't fetched, preventing
  an unhandled Errno::ENOENT if go.work has a stale or missing use entry

* fix: resolve RuboCop offenses in workspace_module_paths

Extract valid_workspace_path? and workspace_mod_name helpers to bring
Metrics/PerceivedComplexity back under threshold, and use to_set(&:name)
to satisfy Style/MapToSet.

* fix: fail fast when a go.work workspace module has a vendor directory

Workspace vendoring is not yet supported — the workspace update path
only updates go.mod/go.sum files and does not invoke vendor_updater,
which would leave vendor/modules.txt and vendored sources stale.

Detect vendor/modules.txt in any workspace module (root or submodule)
before proceeding and raise DependencyFileNotResolvable with a clear
message rather than silently producing an inconsistent vendor directory.

* fix: wrap long line in check_workspace_not_vendored! to satisfy LineLength cop

* fix: each File.join argument on its own line to satisfy multiline argument cops

---------

Co-authored-by: Jamie Magee <jamagee@microsoft.com>
Co-authored-by: Hariharan Thavachelvam <164553783+thavaahariharangit@users.noreply.github.com>

Author: 3 people

.rubocop_todo.yml

@@ -51,6 +51,7 @@ RSpec/AnyInstance:
     - 'maven/spec/dependabot/maven/metadata_finder_spec.rb'
     - 'npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker_spec.rb'
     - 'python/spec/dependabot/python/file_updater_spec.rb'
+    - 'go_modules/spec/dependabot/go_modules/file_updater_spec.rb'
     - 'updater/spec/dependabot/dependency_change_builder_spec.rb'
     - 'updater/spec/dependabot/file_fetcher_command_spec.rb'
 

go_modules/lib/dependabot/go_modules/file_fetcher.rb

@@ -4,6 +4,7 @@
 require "sorbet-runtime"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
+require "dependabot/go_modules/go_work_parser"
 
 module Dependabot
   module GoModules
@@ -13,41 +14,68 @@ class FileFetcher < Dependabot::FileFetchers::Base
 
       sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
       def self.required_files_in?(filenames)
-        filenames.include?("go.mod")
+        filenames.include?("go.mod") || filenames.include?("go.work")
       end
 
       sig { override.returns(String) }
       def self.required_files_message
-        "Repo must contain a go.mod."
+        "Repo must contain a go.mod or go.work."
       end
 
       sig { override.returns(T::Hash[Symbol, T.untyped]) }
       def ecosystem_versions
+        version = go_version_from_file(go_mod) ||
+                  go_version_from_file(go_work) ||
+                  all_workspace_go_mods.filter_map { |f| go_version_from_file(f) }.first ||
+                  "unknown"
+
         {
           package_managers: {
-            "gomod" => go_mod&.content&.match(/^go\s(\d+\.\d+)/)&.captures&.first || "unknown"
+            "gomod" => version
           }
         }
       end
 
       sig { override.returns(T::Array[DependencyFile]) }
       def fetch_files
-        # Ensure we always check out the full repo contents for go_module
-        # updates.
-        SharedHelpers.in_a_temporary_repo_directory(
-          directory,
-          clone_repo_contents
-        ) do
-          fetched_files = go_mod ? [go_mod] : []
-          # Fetch the (optional) go.sum
-          fetched_files << T.must(go_sum) if go_sum
-          fetched_files << T.must(go_env) if go_env
+        SharedHelpers.in_a_temporary_repo_directory(directory, clone_repo_contents) do
+          fetched_files = collect_dependency_files
+          validate_files!(fetched_files)
           fetched_files
         end
       end
 
       private
 
+      sig { returns(T::Array[DependencyFile]) }
+      def collect_dependency_files
+        fetched_files = T.let([], T::Array[DependencyFile])
+
+        if go_work
+          fetched_files << T.must(go_work)
+          fetched_files << T.must(go_work_sum) if go_work_sum
+          fetched_files.concat(workspace_module_files)
+        else
+          fetched_files << T.must(go_mod) if go_mod
+          fetched_files << T.must(go_sum) if go_sum
+        end
+
+        fetched_files << T.must(go_env) if go_env
+
+        fetched_files
+      end
+
+      sig { params(files: T::Array[DependencyFile]).void }
+      def validate_files!(files)
+        return if files.any? { |f| f.name.end_with?("go.mod") }
+
+        error_msg = go_work ? "No go.mod files found in workspace" : "No go.mod files found"
+        raise Dependabot::DependencyFileNotFound.new(
+          "go.mod",
+          error_msg
+        )
+      end
+
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def go_mod
         @go_mod ||= T.let(fetch_file_if_present("go.mod"), T.nilable(Dependabot::DependencyFile))
@@ -58,13 +86,78 @@ def go_sum
         @go_sum ||= T.let(fetch_file_if_present("go.sum"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def go_work_sum
+        @go_work_sum ||= T.let(fetch_file_if_present("go.work.sum"), T.nilable(Dependabot::DependencyFile))
+      end
+
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def go_env
         return @go_env if defined?(@go_env)
 
         @go_env = T.let(fetch_support_file("go.env"), T.nilable(Dependabot::DependencyFile))
         @go_env
       end
+
+      sig { params(file: T.nilable(Dependabot::DependencyFile)).returns(T.nilable(String)) }
+      def go_version_from_file(file)
+        file&.content&.match(/^go\s+(\d+\.\d+)/)&.captures&.first
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def all_workspace_go_mods
+        return [] unless go_work
+
+        workspace_module_paths.filter_map do |module_path|
+          name = module_path == "." ? "go.mod" : File.join(module_path, "go.mod")
+          fetch_file_if_present(name)
+        end
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def go_work
+        @go_work ||= T.let(fetch_file_if_present("go.work"), T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T::Array[String]) }
+      def workspace_module_paths
+        return [] unless go_work
+
+        content = T.must(T.must(go_work).content)
+        GoWorkParser.use_paths(content)
+                    .select { |p| valid_module_path?(p) }
+      end
+
+      sig { params(path: String).returns(T::Boolean) }
+      def valid_module_path?(path)
+        return false if path.empty?
+        return false if Pathname.new(path).absolute?
+        return false if path.include?("\0")
+
+        clean = Pathname.new(path).cleanpath.to_s
+        return false if clean.start_with?("../")
+
+        true
+      end
+
+      sig { returns(T::Array[DependencyFile]) }
+      def workspace_module_files
+        files = T.let([], T::Array[DependencyFile])
+
+        workspace_module_paths.each do |module_path|
+          mod_name = module_path == "." ? "go.mod" : File.join(module_path, "go.mod")
+          mod_file = fetch_file_if_present(mod_name)
+          next unless mod_file
+
+          files << mod_file
+
+          sum_name = module_path == "." ? "go.sum" : File.join(module_path, "go.sum")
+          sum_file = fetch_file_if_present(sum_name)
+          files << sum_file if sum_file
+        end
+
+        files
+      end
     end
   end
 end

go_modules/lib/dependabot/go_modules/file_parser.rb

@@ -6,6 +6,7 @@
 require "open3"
 require "dependabot/dependency"
 require "dependabot/file_parsers/base/dependency_set"
+require "dependabot/go_modules/go_work_parser"
 require "dependabot/go_modules/path_converter"
 require "dependabot/go_modules/replace_stubber"
 require "dependabot/errors"
@@ -52,11 +53,13 @@ def initialize(
       def parse
         dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
-        required_packages.each do |hsh|
-          unless skip_dependency?(hsh) # rubocop:disable Style/Next
+        if workspace?
+          parse_workspace_dependencies(dependency_set)
+        else
+          required_packages.each do |hsh|
+            next if skip_dependency?(hsh)
 
-            dep = dependency_from_details(hsh)
-            dependency_set << dep
+            dependency_set << dependency_from_details(hsh)
           end
         end
 
@@ -190,9 +193,98 @@ def go_env
         @go_env ||= T.let(get_original_file("go.env"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def go_work
+        @go_work ||= T.let(get_original_file("go.work"), T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T::Boolean) }
+      def workspace?
+        !go_work.nil?
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def all_go_mods
+        @all_go_mods ||= T.let(
+          if go_work
+            workspace_mod_names = GoWorkParser.use_paths(T.must(T.must(go_work).content)).map do |path|
+              path == "." ? "go.mod" : "#{path}/go.mod"
+            end
+            dependency_files.select { |f| workspace_mod_names.include?(f.name) }
+          else
+            dependency_files.select { |f| f.name.end_with?("go.mod") }
+          end,
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
+      sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).void }
+      def parse_workspace_dependencies(dependency_set)
+        all_go_mods.each do |mod_file|
+          parse_single_module(mod_file).each do |dep|
+            dependency_set << dep
+          end
+        end
+      end
+
+      sig { params(mod_file: Dependabot::DependencyFile).returns(T::Array[Dependabot::Dependency]) }
+      def parse_single_module(mod_file)
+        SharedHelpers.in_a_temporary_directory do |path|
+          File.write("go.mod", mod_file.content)
+
+          command = "go mod edit -json"
+          stdout, stderr, status = Open3.capture3(command)
+          handle_parser_error(path, stderr, file_path: mod_file.path) unless status.success?
+
+          parsed = JSON.parse(stdout)
+          packages = parsed["Require"] || []
+
+          packages.filter_map do |hsh|
+            next if skip_dependency_in_manifest?(hsh, parsed)
+
+            source = { type: "default", source: hsh["Path"] }
+            version = hsh["Version"]&.sub(/^v?/, "")
+
+            reqs = [{
+              requirement: hsh["Version"],
+              file: mod_file.name,
+              source: source,
+              groups: []
+            }]
+
+            Dependency.new(
+              name: hsh["Path"],
+              version: version,
+              requirements: hsh["Indirect"] ? [] : reqs,
+              package_manager: "go_modules"
+            )
+          end
+        end
+      end
+
+      sig { params(dep: T::Hash[String, T.untyped], mod_manifest: T::Hash[String, T.untyped]).returns(T::Boolean) }
+      def skip_dependency_in_manifest?(dep, mod_manifest)
+        return true if dependency_is_replaced_in?(dep, mod_manifest)
+
+        path_uri = URI.parse("https://#{dep['Path']}")
+        !path_uri.host&.include?(".")
+      rescue URI::InvalidURIError
+        false
+      end
+
+      sig { params(details: T::Hash[String, T.untyped], mod_manifest: T::Hash[String, T.untyped]).returns(T::Boolean) }
+      def dependency_is_replaced_in?(details, mod_manifest)
+        return false unless mod_manifest["Replace"]
+
+        mod_manifest["Replace"].any? do |replace|
+          replace["Old"]["Path"] == details["Path"] &&
+            (!replace["Old"]["Version"] || replace["Old"]["Version"] == details["Version"])
+        end
+      end
+
       sig { override.void }
       def check_required_files
-        raise "No go.mod!" unless go_mod
+        raise "No go.mod or go.work!" unless go_mod || go_work
       end
 
       sig { params(details: T::Hash[String, T.untyped]).returns(Dependabot::Dependency) }
@@ -264,10 +356,11 @@ def go_mod_content
         end
       end
 
-      sig { params(path: T.any(Pathname, String), stderr: String).returns(T.noreturn) }
-      def handle_parser_error(path, stderr)
+      sig { params(path: T.any(Pathname, String), stderr: String, file_path: T.nilable(String)).returns(T.noreturn) }
+      def handle_parser_error(path, stderr, file_path: nil)
         msg = stderr.gsub(path.to_s, "").strip
-        raise Dependabot::DependencyFileNotParseable.new(T.must(go_mod).path, msg)
+        resolved_path = file_path || go_mod&.path || go_work&.path || "go.mod"
+        raise Dependabot::DependencyFileNotParseable.new(resolved_path, msg)
       end
 
       sig { params(dep: T::Hash[String, T.untyped]).returns(T::Boolean) }