BUILD/MINOR: ci: add job to detect new go.mod dependencies in MRs

oktalz · oktalz · commit 770dfe8fde51 · 2026-04-14T13:25:13.000Z
Add the check-dependencies job to the GitLab CI lint stage to automatically
detect when new Go dependencies are introduced in a merge request.

The job compares the go.mod file against the target branch and generates
a JUnit report. If new dependencies are found, the report is marked as
failed to alert reviewers. This ensures external package additions are
highly visible during code review, aiding in security and maintenance.
diff --git a/.gitlab/lint.yml b/.gitlab/lint.yml
@@ -97,6 +97,48 @@ commit-policy:
       - junit-report.xml
     reports:
       junit: junit-report.xml
+check-dependencies:
+  stage: lint
+  allow_failure: true
+  needs: []
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+  image:
+    name: $HAPROXY_REGISTRY_GO/golang:latest-alpine
+    entrypoint: [""]
+  tags:
+    - go
+  script:
+    - |
+      git fetch origin ${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}
+      # skip check if all go.mod changes are from Gopher Bot
+      BOT_COMMITS=$(git log --author="noreply-gopher@haproxy.com" --format='%H' origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}..HEAD -- go.mod || true)
+      ALL_COMMITS=$(git log --format='%H' origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}..HEAD -- go.mod || true)
+      if [ -n "$ALL_COMMITS" ] && [ "$BOT_COMMITS" = "$ALL_COMMITS" ]; then
+        echo "All go.mod changes are from Gopher Bot, skipping."
+        junit-report add --status=ok --file="go.mod" --message="go.mod changes from Gopher Bot, skipped" --description="go.mod dependency check skipped"
+        exit 0
+      fi
+      NEW_DEPS=$(git diff origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}...HEAD -- go.mod \
+        | grep -E '^\+\s' \
+        | grep -v '^\+\+\+' \
+        | grep -v '^\+\s*\/\/' \
+        || true)
+      if [ -n "$NEW_DEPS" ]; then
+        echo "New dependencies detected in go.mod:"
+        echo "$NEW_DEPS"
+        junit-report add --status=failed --file="go.mod" --message="new dependencies added to go.mod" --description="$(printf "The following dependencies were added:\n\n%s" "$NEW_DEPS")"
+        exit 1
+      else
+        echo "No new dependencies added to go.mod."
+        junit-report add --status=ok --file="go.mod" --message="no new dependencies added to go.mod" --description="go.mod dependency check passed"
+      fi
+  artifacts:
+    when: on_failure
+    paths:
+      - junit-report.xml
+    reports:
+      junit: junit-report.xml
 check-committer:
   stage: lint
   allow_failure: true
