From 62b83956bbd42a86746ffc4c033f84535db3da48 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Thu, 23 Apr 2026 08:16:10 -0400
Subject: [PATCH 1/3] ci(vendor-hash): block major indirect bumps and skip
 false-positive hooks

PR #977 (the first batched go-indirect run under the new config)
surfaced two remaining gaps:

1. Renovate kept attempting major-version bumps on indirect deps
   (openai-go v1 -> v3, modernc.org/libc v1 -> v2). A new major is a
   different Go module path, and nothing in the repo imports the new
   path, so `go mod tidy` strips the added lines on every workflow
   run. The PR is a guaranteed no-op that never reconciles with main.
   Disable major update-types for the indirect rule so Renovate
   stops opening them.

2. When `go mod tidy` does reshape go.sum without altering vendor
   contents (exactly the scenario above), the Commit and push step
   trips two pre-commit hooks that fire as false positives here:
   vendor-hash-check ("go.sum changed but nix/package.nix did not")
   and go-mod-tidy ("tidy would modify files" -- it already did, we
   are about to stage the result). Scope SKIP to these two hook IDs
   on that one step; all other hooks still run.
---
 .github/workflows/update-vendor-hash.yml | 9 +++++++++
 renovate.json                            | 7 +++++++
 2 files changed, 16 insertions(+)

diff --git a/.github/workflows/update-vendor-hash.yml b/.github/workflows/update-vendor-hash.yml
index aa323959..5b650551 100644
--- a/.github/workflows/update-vendor-hash.yml
+++ b/.github/workflows/update-vendor-hash.yml
@@ -128,6 +128,15 @@ jobs:
         run: nix build '.#micasa' --no-link -L
 
       - name: Commit and push
+        env:
+          # Skip hooks this workflow would always trip as false positives:
+          # - vendor-hash-check fires when go.sum is staged but nix/package.nix
+          #   is not, which is exactly the state when `go mod tidy` reshapes
+          #   go.sum without altering vendor contents (this step already ran
+          #   the authoritative hash computation above).
+          # - go-mod-tidy reruns tidy and complains if it would change files;
+          #   the Tidy go modules step upstream already tidied.
+          SKIP: vendor-hash-check,go-mod-tidy
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
diff --git a/renovate.json b/renovate.json
index 27d97143..65cba7e0 100644
--- a/renovate.json
+++ b/renovate.json
@@ -27,6 +27,13 @@
       "separateMultipleMajor": false,
       "separateMinorPatch": false
     },
+    {
+      "description": "Never bump indirect Go deps across majors. A new major is a different module path; nothing in this repo imports it, so go mod tidy just strips the new lines again.",
+      "matchManagers": ["gomod"],
+      "matchDepTypes": ["indirect"],
+      "matchUpdateTypes": ["major"],
+      "enabled": false
+    },
     {
       "description": "Group GitHub Actions updates",
       "matchManagers": ["github-actions"],

From d414d2fce3d4e7ef2869cc7000b2111c9c2d6411 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Thu, 23 Apr 2026 08:24:54 -0400
Subject: [PATCH 2/3] ci(vendor-hash): drop go-mod-tidy from SKIP

The Tidy go modules step upstream already runs `go mod tidy`, so by
the time the Commit and push step runs the tree is tidy and the
go-mod-tidy hook is a pass-through no-op. Leaving it in SKIP was
defending against a scenario that cannot occur on this path.
vendor-hash-check is still skipped for the reason documented on the
env comment.
---
 .github/workflows/update-vendor-hash.yml | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/update-vendor-hash.yml b/.github/workflows/update-vendor-hash.yml
index 5b650551..14a3b17f 100644
--- a/.github/workflows/update-vendor-hash.yml
+++ b/.github/workflows/update-vendor-hash.yml
@@ -129,14 +129,12 @@ jobs:
 
       - name: Commit and push
         env:
-          # Skip hooks this workflow would always trip as false positives:
-          # - vendor-hash-check fires when go.sum is staged but nix/package.nix
-          #   is not, which is exactly the state when `go mod tidy` reshapes
-          #   go.sum without altering vendor contents (this step already ran
-          #   the authoritative hash computation above).
-          # - go-mod-tidy reruns tidy and complains if it would change files;
-          #   the Tidy go modules step upstream already tidied.
-          SKIP: vendor-hash-check,go-mod-tidy
+          # vendor-hash-check fires when go.sum is staged but nix/package.nix
+          # is not, which is exactly the state when `go mod tidy` reshapes
+          # go.sum without altering vendor contents. The compute step above
+          # already ran the authoritative nix build, so this hook has nothing
+          # to add here.
+          SKIP: vendor-hash-check
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"

From 91ff3375821dd2f45240040deff4d82e571aa08c Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Thu, 23 Apr 2026 08:26:12 -0400
Subject: [PATCH 3/3] ci(vendor-hash): drop vendor-hash-check from SKIP

Once indirect majors are blocked at the Renovate layer, every
remaining Renovate PR that reaches this workflow bumps a module in
place. go.sum changes and vendor content changes together, so the
computed vendorHash moves with go.sum and nix/package.nix is always
staged with a real diff. vendor-hash-check then has both files
staged and exits 0 on its own.

Suppressing it was papering over the symptom of the scenario that
rule was added to eliminate. If the hook ever fires again from
inside this workflow, that is a real invariant break worth
investigating, not something to silence.
---
 .github/workflows/update-vendor-hash.yml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/.github/workflows/update-vendor-hash.yml b/.github/workflows/update-vendor-hash.yml
index 14a3b17f..aa323959 100644
--- a/.github/workflows/update-vendor-hash.yml
+++ b/.github/workflows/update-vendor-hash.yml
@@ -128,13 +128,6 @@ jobs:
         run: nix build '.#micasa' --no-link -L
 
       - name: Commit and push
-        env:
-          # vendor-hash-check fires when go.sum is staged but nix/package.nix
-          # is not, which is exactly the state when `go mod tidy` reshapes
-          # go.sum without altering vendor contents. The compute step above
-          # already ran the authoritative nix build, so this hook has nothing
-          # to add here.
-          SKIP: vendor-hash-check
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"