Looking for suggestions from #Golang folks in enterprises. How do you handle dependencies on other internal repos?

Here's what happened: I got asked to add a feature to company/logger, so I start my work off the main branch. I get my feature done, and go to test it by pointing company/foo to my branch on a testing branch of its own. Simple enough, right? Wrong.

You see company/foo uses company/logger, but from a branch that was deleted 2 yrs ago. Additionally, that branch of company/logger references a company/proto dependency which is also from a branch deleted 2 yrs ago. Needless to say, a lot has changed in two years since these branches diverged. Nothing in the build or test phases highlighted this issue. For two years, we'd been running unsupported code in production.

Fast-forward to 3 days later, and I finally reconciled 2 yrs of drift between the three repositories (complicated by an organization rename/migration which involved duplication of the google protobuf global initializaiton non-sense).

We already have GOPRIVATE to specify our internal repo prefixes. So, is it reasonable or traditional for enterprise CI/CD to check go.mod for GOPRIVATE repos and require that they be tagged or on the tree's mainline? If so, are there tools that do this? My searching for "go module audits" aren't really helping since that's all vulnerability stuff.

What do you do to prevent this in your organizations?