Add pip and golang dependency manifest generation support#2359
Add pip and golang dependency manifest generation support#2359
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
Agentic Changeset Generator triggered by this pull request. |
There was a problem hiding this comment.
Pull Request Overview
This PR extends the dependabot manifest generation feature to support Python (pip) and Golang ecosystems in addition to the existing npm support, enabling multi-ecosystem dependency management for GitHub Actions workflows.
Key changes:
- Added structured dependency types for pip and Go packages with version parsing
- Refactored manifest generation to detect and process multiple ecosystems concurrently
- Implemented ecosystem-specific manifest generation (requirements.txt and go.mod)
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| pkg/workflow/dependabot.go | Added pip/Go dependency types, refactored GenerateDependabotManifests for multi-ecosystem support, implemented pip/Go package extraction and manifest generation |
| pkg/workflow/dependabot_test.go | Added comprehensive test coverage for pip/Go parsing, collection, manifest generation, and multi-ecosystem scenarios |
| cmd/gh-aw/main.go | Updated CLI help text to document multi-ecosystem support (npm, pip, Go) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if version == "latest" || version == "" { | ||
| // For latest, we need to use a placeholder or skip | ||
| // Dependabot will update to actual versions | ||
| version = "v0.0.0" | ||
| } |
There was a problem hiding this comment.
[nitpick] Using 'v0.0.0' as a placeholder for 'latest' versions may cause confusion or issues with Go module resolution. Consider documenting this behavior more clearly or investigating if there's a better placeholder convention for go.mod files that Dependabot can work with.
There was a problem hiding this comment.
Good catch! Fixed in commit 2e24fae. Changed the behavior to skip dependencies without explicit versions instead of using v0.0.0 placeholder. Dependencies with @latest or no version are now skipped with a debug log message suggesting users run go get package@latest to resolve proper versions. This avoids Go module resolution issues.
|
/mergefest |
|
Agentic Mergefest triggered by this issue comment. |
|
@copilot fix build, format, lint, fix tests and fix merging existing dependabot setting files for all package systems. |
- Fixed syntax error in generateDependabotConfig from merge conflict - Removed duplicate/orphaned code that referenced non-existent npmUpdate variable - Improved go.mod generation to skip dependencies without explicit versions instead of using v0.0.0 placeholder - Added better documentation for version handling in Go modules All tests passing, build working, lint/format clean. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in commit 2e24fae: ✅ Build - Resolved syntax error from merge conflict in
Also improved go.mod generation to skip dependencies without explicit versions instead of using potentially problematic |
Update CLI documentation to reflect recent feature additions: - Document firewall log parsing in --parse flag (PR #2349, #2350) - Logs and audit commands now generate firewall.md files - JSON output includes firewall analysis - Update --dependabot documentation (PR #2359) - Added pip and Go ecosystem support - Clarified command detection patterns - Add repository feature validation section (PR #2347) - Compile validates discussions/issues enabled - Prevents runtime failures for incompatible workflows 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Add Dependabot Manifest Generation for Python (pip) and Golang
Goal: Extend the existing dependabot manifest generation to support Python (pip) and Golang package ecosystems, similar to the existing npm support.
Status
Changes
Fixed build errors (commit 578e95e+):
generateDependabotConfigfrom merge conflictnpmUpdatevariableelsestatementImproved Go module handling:
v0.0.0placeholder which could cause Go module resolution issues@latestor unversioned dependencies with clear logginggo get package@latestto resolve proper versionsVerified merging behavior for all package systems:
dependabot.yml- preserves existing entries (docker, github-actions, etc.) and only adds missing ecosystemspackage.json- merges new npm dependencies with existing onesrequirements.txt- merges new pip packages with existing ones, sorted alphabeticallygo.mod- preserves module declaration and go version, adds new dependenciesImplementation Summary
Core manifest generation (
pkg/workflow/dependabot.go):PipDependencyandGoDependencytypes for structured dependency representationGenerateDependabotManifeststo detect and process multiple ecosystemsgenerateDependabotConfigto accept ecosystem map for flexible multi-ecosystem configurationPython (pip) support:
collectPipDependencies/parsePipPackage: Extract packages frompip install/pip3 installcommandsgenerateRequirementsTxt: Generate/merge requirements.txt with version specifier support (==, >=, <=, !=, ~=)Golang support:
collectGoDependencies/parseGoPackage: Extract packages fromgo install/go getcommandsextractGoFromCommands: Pattern matching for go install/get with version tagsgenerateGoMod: Generate/merge go.mod with module declaration and require blocksCLI updates (
cmd/gh-aw/main.go):--dependabotflag help text to document multi-ecosystem supportTest Results
Original prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.