// Reviews and merges Dependabot pull requests for Go modules (gomod) at the sq repo root. Use for dependabot gomod PRs, go.mod/go.sum updates, and Go module security bumps—not site/ Bun PRs.
Reviews, validates, and safely merges Dependabot pull requests for the sq.io site (site/, Bun lockfile). Use when clearing site dependency PRs, triaging Dependabot failures, or checking Lighthouse impact before merge.
Guides use of the sq CLI to query SQL databases and tabular files with SLQ (sq's jq-like query language) or native SQL, manage sources, choose output formats, and run inspect, diff, and table commands. Use when the user mentions sq, SLQ, wrangling CSV/Excel/JSON/DB data, cross-source joins, or command-line data pipelines after installing sq from https://sq.io.
| name | sq-gomod-dependabot |
| description | Reviews and merges Dependabot pull requests for Go modules (gomod) at the sq repo root. Use for dependabot gomod PRs, go.mod/go.sum updates, and Go module security bumps—not site/ Bun PRs. |
| license | MIT |
| compatibility | Requires gh CLI (authenticated), Go toolchain, make test-short, and network access to GitHub. |
| metadata | {"author":"Todd Papaioannou","homepage":"https://sq.io","version":"0.2.0"} |
Maintainer workflow for Dependabot PRs updating go.mod /
go.sum at the repository root. For site/
Bun/Hugo PRs, use sq-site-dependabot.
No bun.lock sequencing — multiple gomod PRs are less coupled than site PRs,
but still prefer merging after CI is green.
| Mode | Actions | Merge |
|---|---|---|
| Audit | List/classify; direct vs indirect | No |
| Validate | Diff review; make test-short | No |
| Full | Validate + merge with consent | Per PR |
Default to Audit unless the user asks to merge.
command -v gh >/dev/null && gh auth status
command -v go >/dev/null && go version
From repository root:
gh pr list --author 'app/dependabot' --state open \
--json number,title,headRefName,mergeable,statusCheckRollup \
--jq '.[] | select(.headRefName | test("^dependabot/")) | select(.title | test("go|gomod|golang"; "i"))'
Confirm the PR does not only touch site/ (gh pr diff <n> --name-only). If it
touches both, split judgment: site hunks → sq-site-dependabot.
| Level | Examples | Action |
|---|---|---|
| Low | Patch indirect, test-only modules | Merge after CI |
| Medium | Direct minor/patch runtime dep | Notes + test-short |
| High | Major, replace, breaking sec | Hold; full review |
On PR branch:
make test-short
# or make test for full driver integration (Docker)
Review go mod why / diff for unexpected indirect churn.
After required checks pass:
gh pr merge <n> --squash --delete-branch
Use --admin only when the user explicitly requests and checks are green.
## Dependabot gomod PR #NNN — <module>
- **Direct/indirect:** …
- **CI:** pass / fail
- **make test-short:** pass / fail
- **Verdict:** merge | hold
See AGENTS.md.