// Update all direct Go module dependencies to their latest versions, tidy the module graph, verify tests pass, and commit the result. Use when you want to bump deps, address CVEs, or do routine dependency maintenance.
| name | update-go-deps |
| description | Update all direct Go module dependencies to their latest versions, tidy the module graph, verify tests pass, and commit the result. Use when you want to bump deps, address CVEs, or do routine dependency maintenance. |
| user-invocable | true |
| disable-model-invocation | true |
| allowed-tools | Read, Write, Edit, Bash, Glob, Grep |
Update all direct Go module dependencies to their latest versions, clean up the module graph, verify the build still works, and commit.
git status. If there are uncommitted changes, stop and ask the user how to proceed.find . -name go.mod -not -path '*/vendor/*'. Work through each module directory in turn.For each module directory:
cd into the directory.go get -u ./... to upgrade all direct dependencies to their latest minor/patch versions.go mod tidy to prune unused indirect deps and update go.sum.vendor/ directory exists, run go mod vendor to sync it.go build ./... — fix any compilation errors before continuing.go test ./... — if tests fail, investigate whether the failure is pre-existing or caused by the update.
go get <module>@<version>, then re-tidy.golangci-lint, make check-style), run it and fix new issues introduced by the updated deps.Generate a human-readable summary of what changed:
git diff -- '*/go.mod'
Group changes by type:
go.mod, go.sum, and vendor/ (if present): do not stage unrelated files.chore(deps): update Go dependencies
<paste summary of notable upgrades here>
go directive in go.mod — use /dev-workflows:update-go-version to update the module's go directive.replace directive in go.mod, preserve it unless the user explicitly asks to remove it.Analyze a GitHub pull request for risk level and generate concrete QA recommendations. Accepts a PR URL or "owner/repo#number" reference. Uses `gh` CLI to fetch the diff and metadata, computes blast radius, scores six risk dimensions, and returns a structured JSON risk assessment. Use when the user invokes /qa-analysis:qa-analysis with a GitHub PR URL or reference, or asks for a PR risk assessment, QA recommendations, or "what should I test?" for a given pull request.
Add an MCP (Model Context Protocol) server to a Mattermost plugin so the Agents plugin can call its tools. Use when implementing cross-plugin MCP, exposing AI tools from a Mattermost plugin to the Agents plugin, or wiring up the `pluginmcp` helper from mattermost-plugin-agents.
Create a new Mattermost plugin from the starter template in the current directory. Use when creating a new plugin from scratch, scaffolding a Mattermost plugin, or bootstrapping a plugin project.
Orchestrates test-driven fixes for Mattermost security tickets (Jira/Atlassian) with a Staff Security Engineer mindset: failing secure-behavior tests first, then implementation, then security review and edge-case loops, then opening a non-draft PR that follows `.github/PULL_REQUEST_TEMPLATE.md` when present, with a vague public description (no exploit detail). Use when the user invokes /security-fix:security-fix with a mattermost.atlassian.net browse URL, MM-* security work, backend permission or authorization bugs, or asks for this security TDD workflow.
Investigate production issues, query logs and metrics, and explore dashboards on the Mattermost Grafana instance at grafana.internal.mattermost.com.
Update all GitHub Actions workflow dependencies (uses: owner/action@vX) to their latest released versions. Fetches current releases from GitHub, updates all workflow YAML files to use SHA pinning with version comments, and commits.