When Dependabot updates a Go dependency, the Go tooling (go get, go mod tidy) can
prune /go.mod checksum entries from go.sum for unrelated modules. This causes
Dependabot PRs to unexpectedly remove hash entries that go mod tidy would normally keep.
├── reproduce_issue.rb # Demonstrates the bug and fix
├── test_scenarios.rb # 12 scenario tests for reconcile_go_sum
├── reconcile_and_update.rb # Standalone reconcile script (used in CI)
├── go_project/
│ ├── go.mod # Sample Go module file
│ └── go.sum # Sample checksums file
├── .github/
│ └── workflows/
│ ├── ci.yml # Runs reproduction + test scenarios
│ └── reconcile-gosum.yml # Auto-reconciles and opens PR on go.mod change
ruby reproduce_issue.rbruby test_scenarios.rbThis runs 12 scenarios verifying the reconcile logic handles:
- Correct restoration of pruned
/go.modlines - No false restoration for removed/upgraded/downgraded modules
- Multiple dependencies updated simultaneously
- go.mod-only entries (no zip hash)
The workflow (.github/workflows/reconcile-gosum.yml) triggers when go_project/go.mod
is modified. It:
- Detects which dependencies were updated in
go.mod - Runs
go mod tidyto updatego.sumvia Go tooling - Reconciles
go.sumusingreconcile_and_update.rb— restores/go.modchecksum lines that Go tooling incorrectly pruned for unrelated modules - Opens a PR with the corrected
go.sumif changes were needed
You can also trigger the workflow manually via workflow_dispatch:
gh workflow run reconcile-gosum.yml \
-f dependency="rsc.io/quote" \
-f version="v1.5.2"The reconcile_go_sum function compares the original go.sum with what Go tooling
produced and restores /go.mod checksum lines that were pruned, but only when:
- The line is a
/go.modchecksum (not a zip hash) - The module is not the dependency being updated
- The module+version is still present in the dependency graph
- Issue: dependabot/dependabot-core#14872
- Fix PR: dependabot/dependabot-core#15056