Set goprivate experiment for Go modules with git_source credentials #1526
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR implements automatic configuration of the GOPRIVATE environment variable for Go modules when git_source credentials are present. The change ensures that the goprivate experiment is set regardless of whether credentials come from the config file or global Private Registry configuration.
- Adds automatic detection of git_source credentials for Go modules
- Sets the goprivate experiment to '*' when appropriate conditions are met
- Updates type definition for experiments object to be more specific
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/updater.ts | Adds setGoModuleConfiguration method to automatically set goprivate experiment when git_source credentials are present for Go modules |
| src/api-client.ts | Updates experiments type from generic object to Record<string, any> for better type safety |
| tests/updater.test.ts | Adds comprehensive test coverage for the new Go module configuration logic across various scenarios |
jurre
force-pushed
the
jurre/goprivate-on-registries
branch
from
86ba1cb to
b101a5a
Compare
The `goprivate` experiment/option configures the GOPRIVATE environment variable in dependabot-core. Currently this only works for registries added via the config file, where the option is added in the API. With the addition of global Private Registry config via GitHub UI, credentials can now also be passed through action environment variables. This ensures the GOPRIVATE=* environment variable is configured for the Go toolchain whenever git_source credentials are present, regardless of their source.
jurre
force-pushed
the
jurre/goprivate-on-registries
branch
from
b101a5a to
5cf324d
Compare
| @@ -105,6 +106,21 @@ export class Updater { | |||
| return result | |||
| } | |||
|
|
|||
| private setGoModuleConfiguration(): void { | |||
There was a problem hiding this comment.
This seems like it should go in Core in the Go ecosystem code. Any reason this can't be done in the same place as dependabot/dependabot-core#12747?
There was a problem hiding this comment.
It's a valid question, I think it could go there. I put it here because it was previously in the job description, and this is the next place up where we have the full picture.
The way it is currently implemented in core it's a little tricky to centralize it where you pointed to, we pull out the value in a bunch of different classes and they get instantiated from the updater.
However, there are some more edge cases around how we handle this together with the go.env file, so I have a branch of core locally where I'm reshuffling the whole thing to just set these instance variables for the toolchain once, centralized in that one spot, and this actually is a perfect fit for that.
I can move it there, it does end up becoming a relatively large change, adding this will make it a bit bigger even, but I think it's manageable overall:
12 files changed, 141 insertions(+), 87 deletions(-)
There was a problem hiding this comment.
I think it's the right thing to do, having if package_manager == X spread around in different places isn't sustainable. Also consider we'll need to do this in the CLI so ADO can also use private Go Proxies.
This is a good opportunity to remove the goprivate code from the API as well. It seems all the info we need for this is in the credentials-metadata already, and have the goprivate settings as an "experiment" has always seemed odd.
The
goprivateexperiment/option configures the GOPRIVATE environment variable in dependabot-core. Currently this only works for registries added via the config file, where the option is added in the API.With the addition of global Private Registry config via
GitHub UI, credentials can now also be passed through action environment variables. This ensures the GOPRIVATE=* environment variable is configured for the Go toolchain whenever git_source credentials are present, regardless of their source.