Go: Support workspaces

[johanneswuerbach]

Is there an existing issue for this?

• [X] I have searched the existing issues

Feature description

Golang 1.18 introduced the support for workspaces to simplify the management of multiple modules in one repository.

Dependabot could use the go.work file to:

• automatically discover all referenced sub-modules
• bump dependencies consistently across them

Something similar is already supported in the JS world with lerna https://github.com/dependabot/dependabot-core/pull/197 and yarn.

[jeffwidman]

Can you clarify the scenarios where this would be useful?

I typically refrain from checking a go.work file into git, and most other gophers I know do the same. There's even an issue discussing whether to formalize that recommendation:

• https://github.com/golang/go/issues/53502

If it's not actually checked into VCS, then Dependabot won't be able to bump it...

[johanneswuerbach]

We have several repositories, which contain multiple modules, were we commit go.work files so editor code completion etc. just works.

In those cases dependabot should auto-discover all modules based on the go.work file and ideally also keep dependency versions in-sync.

[Drache93]

Like the original issue mentioned, Lerna and Yarn already do this for JS. As discussed in that Go proposal @jeffwidman mentioned, the use case where go.work is checked in, is monorepos (not to duplicate that discussion here). In my case, we have multiple applications and their shared libraries in a monorepo.

[lucacome]

I'm interested in this as well. Any plans to implement it?

[grzesuav]

Actually it would be super useful to have it also running go work sync to update all references. Regarding go.work being committed to VCS - this is one way how it implement monorepo in golang