Upgraded main and example Go dependencies pre 2.49-rc.0

[bwplotka]

Pre step for 2.49-rc.0

Added cmd for documentation module update due to https://github.com/prometheus/prometheus/security/dependabot/92 & other similar alerts.

[bwplotka]

hmmmm

/go/pkg/mod/github.com/hashicorp/nomad/api@v0.0.0-20231206220849-8cde7a4f70c0/error_unexpected_response.go:11:2: package slices is not in GOROOT (/usr/local/go/src/slices)
!! command failed: build -o /__w/prometheus/prometheus/prometheus -ldflags -X github.com/prometheus/common/version.Version=2.48.0 -X github.com/prometheus/common/version.Revision=bc3ed6f8dc155b57f45c23fc40bf0e304dee1f9a -X github.com/prometheus/common/version.Branch=HEAD -X github.com/prometheus/common/version.BuildUser=root@d61296eb83cb -X github.com/prometheus/common/version.BuildDate=20231207-12:12:23  -extldflags '-static' -tags netgo,builtinassets,stringlabels github.com/prometheus/prometheus/cmd/prometheus: exit status 1
make: *** [Makefile.common:200: common-build] Error 1

Disabled that update for now.

[SuperQ]

This isn't really necessary anymore as we have dependabot that watches for Go updates.

[bwplotka]

True, but we don't do a good job of merging/reviewing/addressing blockers on those dependabot PRs, so far.

Anyway, was quicker for me to do one PR here than checking & fixing & rebasing 5+ dependabot PRs.

[SuperQ]

I am objecting to this change. I think we can do a better job of using dependabot for what it's good for.

[bwplotka]

Hm, so that blocks having latest minor versions for all our Go packages on new release, are you sure?

I don't see how I can do it with dependabot at the moment (e.g. to include documentation go.mod). It periodically proposes PRs to upgrade some groups, plus it takes time to merge all groups one by one, wait for tests, rebase (every PR generate conflicts with go.mod) and repeat X times. Am I missing something? e.g. dependabot/dependabot-core#2980 ..even if there is some configuration to do, I don't have time to do it right now.

What's the harm in upgrading in bulk while we wait for improved dependabot and us reconfiguring things for better state? 🤔

[bboreham]

I think the right way to change the release process would be to make a PR changing https://github.com/prometheus/prometheus/blob/main/RELEASE.md#manually-updating-go-dependencies

(I'm unclear how or if dependabot works, but ok to change the system given clear instructions)

[beorn7]

I think of dependabot as a tool helping the release shepherd. It's the release shepherd's call if they want to utilize it or not. AFAIK dependabot will simply close the PRs that aren't needed anymore because the dependency was updated manually.