Add GONOPROXY/GONOSUMDB env vars to go_modules FileParser#15159
Open
Nishnha wants to merge 1 commit into
Open
Conversation
GOPRIVATE=* forces every module through git auth, bypassing proxy.golang.org. That fixes cross-org private fetches but causes the updater to clone full repos for every public dep, exhausting disk. Go treats GONOPROXY and GONOSUMDB as independent overrides — GOPRIVATE is just their default. See src/cmd/go/testdata/script/mod_gonoproxy.txt: env GONOPROXY=none # that is, proxy all despite GOPRIVATE This lets the API send GOPRIVATE=*, GONOPROXY=none, GONOSUMDB=* so public modules cache via the proxy while private/cross-org modules fall back to direct git auth with sumdb skipped. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the Go modules FileParser environment setup so Dependabot can independently configure Go proxy and checksum database routing via GONOPROXY and GONOSUMDB.
Changes:
- Adds
:gonoproxyand:gonosumdboption handling in the Go modules file parser. - Preserves existing
go.envand custom proxy credential precedence rules. - Adds specs covering setting, omitting, and not overriding the new environment variables.
Show a summary per file
| File | Description |
|---|---|
go_modules/lib/dependabot/go_modules/file_parser.rb |
Adds environment variable setup for GONOPROXY and GONOSUMDB. |
go_modules/spec/dependabot/go_modules/file_parser_spec.rb |
Adds parser initialization specs for the new options and precedence behavior. |
Copilot's findings
- Files reviewed: 2/2 changed files
- Comments generated: 0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds support for two new options in
FileParser::gonoproxy→ setsENV["GONOPROXY"]:gonosumdb→ setsENV["GONOSUMDB"]Both follow the same bail-out pattern as
:goprivate(skip if user supplied their owngo.envwith the same key).:gonoproxyadditionally bails whengoproxy_credentialsis set, since a custom proxy server overrides proxy routing decisions.Why
Today the consumer (dependabot-api) sets
GOPRIVATE=*to make cross-org private modules work.GOPRIVATEdoubles as the default forGONOPROXYandGONOSUMDB, so every public module also bypasses proxy.golang.org and triggers a full git clone — causing disk exhaustion on the updater (see github/dependabot-updates#13395).Go treats
GONOPROXYandGONOSUMDBas independent overrides. From Go's own test suite (src/cmd/go/testdata/script/mod_gonoproxy.txt):With this change, dependabot-api can send
GOPRIVATE=*, GONOPROXY=none, GONOSUMDB=*so public modules cache through the proxy while private/cross-org modules fall back to direct git auth with sumdb skipped.Companion API PR: https://github.com/github/dependabot-api/pull/8337.
Rollout
No ordering required. Older API versions only send
:goprivate; this PR is purely additive onFileParser.