Skip to content

Add GH workflow to check go mod tidy#59

Merged
chmeliik merged 2 commits intomainfrom
gomodtidy
Feb 11, 2026
Merged

Add GH workflow to check go mod tidy#59
chmeliik merged 2 commits intomainfrom
gomodtidy

Conversation

@chmeliik
Copy link
Copy Markdown
Contributor

@chmeliik chmeliik commented Feb 11, 2026

We've had a couple occurrences of unused dependencies being merged. Ensure this doesn't happen.

@snyk-io
Copy link
Copy Markdown

snyk-io bot commented Feb 11, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@chmeliik
Run go mod tidy
6f92ac9 
Signed-off-by: Adam Cmiel <acmiel@redhat.com>
@chmeliik chmeliik marked this pull request as ready for review February 11, 2026 09:28
@chmeliik chmeliik requested a review from a team as a code owner February 11, 2026 09:28
@qodo-code-review
Copy link
Copy Markdown

qodo-code-review bot commented Feb 11, 2026

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Remediation recommended

1. Go version mismatch in CI 🐞 Bug ⛯ Reliability
Description 
The new workflow installs Go from the go directive in go.mod, while the repo also declares a
different preferred toolchain; this can cause developers and CI to run go mod tidy under
different Go versions and create recurring go.mod/go.sum churn or confusing failures.
Code

.github/workflows/gomod-tidy.yaml[R16-27]

+      - name: Set up Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version-file: go.mod
+
+      - name: Check if dependencies are tidy
+        run: |
+          #!/bin/bash
+          set -o errexit -o nounset -o pipefail
+
+          go mod tidy
+
Evidence 
The workflow explicitly selects Go via go-version-file: go.mod and then runs go mod tidy, while
go.mod declares both a go version and a different toolchain version—creating an environment
mismatch risk for tidy output across machines/CI.

.github/workflows/gomod-tidy.yaml[16-27]
go.mod[1-6]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The new `gomod-tidy` GitHub Actions job runs `go mod tidy` after installing Go based on `go.mod`. However, `go.mod` declares both a `go` version and a different `toolchain` version. This can lead to different Go versions being used across CI vs developer machines, causing repeated `go.mod`/`go.sum` churn or confusing CI failures.

### Issue Context
- Workflow uses `actions/setup-go` with `go-version-file: go.mod` and then runs `go mod tidy`.
- `go.mod` declares `go 1.23.3` and `toolchain go1.24.6`.

### Fix Focus Areas
- .github/workflows/gomod-tidy.yaml[16-27]
- go.mod[1-6]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

2. Workflow lacks permissions 🐞 Bug ⛨ Security
Description 
The new GitHub Actions workflow does not set explicit permissions, relying on default GITHUB_TOKEN
scopes; least-privilege permissions reduce blast radius if any step/action is compromised.
Code

.github/workflows/gomod-tidy.yaml[R1-12]

+name: go mod tidy
+
+"on":
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  gomod-tidy:
+    runs-on: ubuntu-latest
+
+    steps:
Evidence 
The workflow defines on: and jobs: but does not declare any permissions: block at the workflow
or job level.

.github/workflows/gomod-tidy.yaml[1-12]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow does not define explicit GitHub Actions token permissions, so it uses GitHub defaults. For least privilege, set only the permissions required (this job typically only needs to read repository contents).

### Issue Context
The job checks out code and runs `go mod tidy`; it does not require write access.

### Fix Focus Areas
- .github/workflows/gomod-tidy.yaml[1-12]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

@chmeliik
Add GH workflow to check go mod tidy
fa44da1 
We've had a couple occurrences of unused dependencies being merged.
Ensure this doesn't happen.

Signed-off-by: Adam Cmiel <acmiel@redhat.com>
@chmeliik
Copy link
Copy Markdown
Contributor Author

chmeliik commented Feb 11, 2026

@qodo-code-review

The new workflow installs Go from the go directive in go.mod, while the repo also declares a
different preferred toolchain; this can cause developers and CI to run go mod tidy under
different Go versions and create recurring go.mod/go.sum churn or confusing failures.

No, version 6 handles toolchain properly: https://github.com/actions/setup-go?tab=readme-ov-file#v6-changes

Workflow lacks permissions

Added

@chmeliik
Copy link
Copy Markdown
Contributor Author

chmeliik commented Feb 11, 2026

Worked as expected before I committed the go mod tidy changes:

image

@chmeliik chmeliik merged commit 1865bec into main Feb 11, 2026
7 checks passed
@chmeliik chmeliik deleted the gomodtidy branch February 11, 2026 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mmorhun mmorhun mmorhun approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chmeliik @mmorhun