River Pro is distributed via a private Go proxy, which may require custom configuration to work with automated dependency upgrade tools like Dependabot. This page describes how to configure those dependency update tools to work with River Pro.
Dependabot
Dependabot's support for private Go proxies is in preview as of September 2025 and is not yet fully documented. The recommended way to configure Dependabot to work with River Pro is with a go.env
file in your project root, as well as custom private registry configuration in your .github/dependabot.yaml
file.
The GONOSUMDB
environment variable is required to prevent Go from attempting to verify checksums for private modules which are not accessible to the checksum database.
GONOSUMDB=riverqueue.com/riverpro
version: 2registries: golang-proxy: type: goproxy-server url: https://proxy.golang.org username: "" password: "" riverpro-proxy: type: goproxy-server url: https://riverqueue.com/goproxy username: river password: ${{secrets.RIVER_PRO_SECRET}}updates: - package-ecosystem: "gomod" directory: "/" # Location of package manifests groups: go-dependencies: update-types: - "minor" - "patch" registries: # Prefer to fetch from the main public Go proxy, falling back to # River's private proxy for modules not found there. - golang-proxy - riverpro-proxy schedule: interval: "weekly"
Configuring your secret
This setup requires the presence of the RIVER_PRO_SECRET
in the environment. Refer to GitHub's documentation for storing credentials for Dependabot to use, either as a repository secret or an organization secret. For more about River secrets, see Installing private Go modules.