Skip to content

Dependency updates

River Pro is distributed via a private Go proxy, which may require custom configuration to work with automated dependency upgrade tools like Dependabot. This page describes how to configure those dependency update tools to work with River Pro.


Dependabot

Dependabot's support for private Go proxies is in preview as of September 2025 and is not yet fully documented. The recommended way to configure Dependabot to work with River Pro is with a go.env file in your project root, as well as custom private registry configuration in your .github/dependabot.yaml file.

The GONOSUMDB environment variable is required to prevent Go from attempting to verify checksums for private modules which are not accessible to the checksum database.

go.env
GONOSUMDB=riverqueue.com/riverpro
.github/dependabot.yaml
version: 2
registries:
golang-proxy:
type: goproxy-server
url: https://proxy.golang.org
username: ""
password: ""
riverpro-proxy:
type: goproxy-server
url: https://riverqueue.com/goproxy
username: river
password: ${{secrets.RIVER_PRO_SECRET}}
updates:
- package-ecosystem: "gomod"
directory: "/" # Location of package manifests
groups:
go-dependencies:
update-types:
- "minor"
- "patch"
registries:
# Prefer to fetch from the main public Go proxy, falling back to
# River's private proxy for modules not found there.
- golang-proxy
- riverpro-proxy
schedule:
interval: "weekly"

Configuring your secret

This setup requires the presence of the RIVER_PRO_SECRET in the environment. Refer to GitHub's documentation for storing credentials for Dependabot to use, either as a repository secret or an organization secret. For more about River secrets, see Installing private Go modules.