Rewrite dependency version check as Go tool, extend to main branch#9816
Open
chaptersix wants to merge 8 commits intomainfrom
Open
Rewrite dependency version check as Go tool, extend to main branch#9816chaptersix wants to merge 8 commits intomainfrom
chaptersix wants to merge 8 commits intomainfrom
Conversation
chaptersix
commented
Apr 3, 2026
chaptersix
force-pushed
the
validate-api-version
branch
4 times, most recently
from
8859280 to
56fdf07
Compare
Replace the inline bash script in check-release-dependencies.yml with a Go tool that validates go.mod dependency versions using go tooling and git directly, removing the need for GitHub API calls. Release/cloud branches require stable semver tags (vX.Y.Z) verified via go list. Main branch allows tagged releases or pseudo-versions, with pseudo-version branch validation using go mod download (GOPROXY=direct) and git ls-remote to confirm the commit is on the module's default branch.
chaptersix
force-pushed
the
validate-api-version
branch
from
1558a44 to
fdafcf2
Compare
chaptersix
force-pushed
the
validate-api-version
branch
from
fd8d10d to
e1cb26d
Compare
- Rename validate-api-go-version to check-dependencies - Remove verifyVersion and go list subprocess call - Remove redundant cat-file pre-check and dead code - Fix broken retraction check logic - Add package doc comment
chaptersix
changed the title
stephanos
reviewed
Apr 7, 2026
chaptersix
changed the title
Contributor
Author
|
need to add some integration tests. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rewrites the release dependency check as a Go tool and extends it to cover the main branch.
The original check was a shell script using
grep/awkto extract versions fromgo.mod. Moving to Go lets us usegolang.org/x/mod/modfile(proper AST parsing),module.IsPseudoVersion/PseudoVersionRev(pseudo-version decomposition), andsemver.IsValid— none of which are feasible to replicate reliably in shell. Using a Go tool is also consistent with the pattern incmd/tools/.The rewrite also extends validation: the original script only enforced tagged releases on
release/*andcloud/*branches. The new tool adds amainbranch policy: pseudo-versions are allowed on main, but the referenced commit must be on the dependency's default branch (not a feature branch or a fork).Policies enforced
release/*andcloud/*: must be tagged semver releasesmain: tagged releases accepted; pseudo-versions must reference a commit on the dependency's default branchWhy
If an API or SDK references a commit that's not on the main branch or a tag, it creates problems when bumping the version later on. There was a recent occurrence of this.
Running locally
Pass the branch you're targeting as
--base-branch. For example, to simulate a PR against a release branch: