Dependabot for updating go dependencies which track commits

Question

I'm trying to use dependabot to auto-update a private Go repository. My current dependabot.yml looks like this:

version: 2
updates:
  - package-ecosystem: 'gomod'
    directory: '/'
    schedule:
      interval: 'daily'
    allow:
    - dependency-name: "<private-dependency>"

The "private-dependency" does not track versions so I want to update against a specific branch.

I understand I can do this manually by running go get private-dependency@branch but I can't find any documentation on whether I can do so via Dependabot.

I can create a Github Action for running the command and opening a PR but would want to avoid doing so if possible.

Does Dependabot even support updating Go dependencies that track branches? How can I do this using Dependabot?

Answer 1

I opened a customer support ticket with Github and their official response is:

After speaking with Engineering, it was found that according to Golang's documentation the commit-based versions are considered "pseudo-versions" and intended for development. Dependabot seeks for stable versions to suggest as a possible update rather than development versions.

According to this, Dependabot doesn't support this feature yet but they are open to taking a feature request. For our purposes, we started tagging our releases with SemVer and that solved the issue.

Just leaving an answer for posterity and those that might be interested in following this up.