Prevent Go module download failures with explicit proxy configuration #12856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Copilot wants to merge 5 commits into main from copilot/investigate-ci-failure-32917

.github/workflows/ci.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -19,6 +19,14 @@ jobs: @@
         concurrency:
           group: ci-${{ github.ref }}-test
           cancel-in-progress: true
+        env:
+          # Configure Go module proxy with fallback to direct download
+          # This prevents 403 Forbidden errors from proxy.golang.org
+          GOPROXY: https://proxy.golang.org,direct
+          # Ensure no public modules are treated as private
+          GOPRIVATE: ""
+          GONOPROXY: ""
+          GOSUMDB: sum.golang.org
         steps:
           - name: Checkout code
             uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
@@ Expand All / @@ -38,6 +46,24 @@ jobs: @@
                 echo "⚠️ Go cache miss" >> $GITHUB_STEP_SUMMARY
               fi
+          - name: Verify Go environment and module access
+            run: |
+              echo "## Go Environment Configuration" >> $GITHUB_STEP_SUMMARY
+              echo "- GOPROXY: $GOPROXY" >> $GITHUB_STEP_SUMMARY
+              echo "- GOPRIVATE: ${GOPRIVATE:-<empty>}" >> $GITHUB_STEP_SUMMARY
+              echo "- GONOPROXY: ${GONOPROXY:-<empty>}" >> $GITHUB_STEP_SUMMARY
+              echo "- GOSUMDB: $GOSUMDB" >> $GITHUB_STEP_SUMMARY
+              # Test proxy connectivity by downloading a small module
+              echo "Testing module proxy connectivity..."
+              if ! go list -m golang.org/x/sys@latest > /dev/null 2>&1; then
+                echo "❌ Failed to connect to Go module proxy" >> $GITHUB_STEP_SUMMARY
+                echo "::error::Unable to download modules from Go proxy. Check GOPROXY configuration."
+                exit 1
+              else
+                echo "✅ Go module proxy accessible" >> $GITHUB_STEP_SUMMARY
+              fi
           - name: Verify dependencies
             run: go mod verify
@@ Expand Down Expand Up / @@ -171,6 +197,14 @@ jobs: @@
           group: ci-${{ github.ref }}-integration-${{ matrix.test-group.name }}
           cancel-in-progress: true
         name: "Integration: ${{ matrix.test-group.name }}"
+        env:
+          # Configure Go module proxy with fallback to direct download
+          # This prevents 403 Forbidden errors from proxy.golang.org
+          GOPROXY: https://proxy.golang.org,direct
+          # Ensure no public modules are treated as private
+          GOPRIVATE: ""
+          GONOPROXY: ""
+          GOSUMDB: sum.golang.org
         steps:
           - name: Checkout code
             uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
@@ Expand Down @@

.github/workflows/format-and-commit.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -11,6 +11,14 @@ jobs: @@
       format-and-commit:
         name: Format, Lint, Build and Commit Changes
         runs-on: ubuntu-latest
+        env:
+          # Configure Go module proxy with fallback to direct download
+          # This prevents 403 Forbidden errors from proxy.golang.org
+          GOPROXY: https://proxy.golang.org,direct
+          # Ensure no public modules are treated as private
+          GOPRIVATE: ""
+          GONOPROXY: ""
+          GOSUMDB: sum.golang.org
         steps:
           - name: Skip if triggered by bot
             if: contains(github.event.head_commit.author.name, '[bot]')
@@ Expand Down @@

.github/workflows/integration-agentics.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -13,6 +13,14 @@ jobs: @@
       integration-test-agentics:
         name: Test Agentics Repository Integration
         runs-on: ubuntu-latest
+        env:
+          # Configure Go module proxy with fallback to direct download
+          # This prevents 403 Forbidden errors from proxy.golang.org
+          GOPROXY: https://proxy.golang.org,direct
+          # Ensure no public modules are treated as private
+          GOPRIVATE: ""
+          GONOPROXY: ""
+          GOSUMDB: sum.golang.org
         steps:
           - name: Checkout code
             uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
@@ Expand Down @@

.github/workflows/license-check.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,14 @@ jobs: @@
         runs-on: ubuntu-latest
         permissions:
           contents: read
+        env:
+          # Configure Go module proxy with fallback to direct download
+          # This prevents 403 Forbidden errors from proxy.golang.org
+          GOPROXY: https://proxy.golang.org,direct
+          # Ensure no public modules are treated as private
+          GOPRIVATE: ""
+          GONOPROXY: ""
+          GOSUMDB: sum.golang.org
         steps:
           - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ Expand Down @@

.github/workflows/security-scan.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,14 @@ jobs: @@
       gosec:
         name: Gosec Security Scanner
         runs-on: ubuntu-latest
+        env:
+          # Configure Go module proxy with fallback to direct download
+          # This prevents 403 Forbidden errors from proxy.golang.org
+          GOPROXY: https://proxy.golang.org,direct
+          # Ensure no public modules are treated as private
+          GOPRIVATE: ""
+          GONOPROXY: ""
+          GOSUMDB: sum.golang.org
         steps:
           - name: Checkout code
             uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
@@ Expand Down Expand Up / @@ -43,6 +51,14 @@ jobs: @@
       govulncheck:
         name: Go Vulnerability Check
         runs-on: ubuntu-latest
+        env:
+          # Configure Go module proxy with fallback to direct download
+          # This prevents 403 Forbidden errors from proxy.golang.org
+          GOPROXY: https://proxy.golang.org,direct
+          # Ensure no public modules are treated as private
+          GOPRIVATE: ""
+          GONOPROXY: ""
+          GOSUMDB: sum.golang.org
         steps:
           - name: Checkout code
             uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
@@ Expand Down @@

CONTRIBUTING.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -328,6 +328,44 @@ If Dependabot stops creating PRs: @@
 . **Manual trigger**: You can manually trigger Dependabot from repository Settings → Security → Dependabot
+    ### CI Configuration and Go Module Proxy
+    Our CI workflows are configured to prevent Go module download failures by using explicit proxy settings. All GitHub Actions workflows that use Go include the following environment variables:
+    ```yaml
+    env:
+      # Configure Go module proxy with fallback to direct download
+      # This prevents 403 Forbidden errors from proxy.golang.org
+      GOPROXY: https://proxy.golang.org,direct
+      # Ensure no public modules are treated as private
+      GOPRIVATE: ""
+      GONOPROXY: ""
+      GOSUMDB: sum.golang.org
+    ```
+    **Why this matters:**
+    - **Prevents 403 Forbidden errors**: If `proxy.golang.org` is temporarily unavailable or blocks requests, Go will fall back to direct downloads
+    - **Ensures public modules are accessible**: Empty `GOPRIVATE` and `GONOPROXY` settings prevent public modules from being treated as private
+    - **Maintains checksum verification**: `GOSUMDB` ensures module integrity through the Go checksum database
+    **Affected workflows:**
+    - `.github/workflows/ci.yml` (test and integration jobs)
+    - `.github/workflows/integration-agentics.yml`
+    - `.github/workflows/format-and-commit.yml`
+    - `.github/workflows/security-scan.yml` (gosec and govulncheck jobs)
+    - `.github/workflows/license-check.yml`
+    **Troubleshooting module download failures:**
+    If you encounter `403 Forbidden` errors from Go module proxy:
+. **Check environment variables**: Verify `GOPROXY`, `GOPRIVATE`, `GONOPROXY`, and `GOSUMDB` are set correctly
+. **Test proxy connectivity**: Run `go list -m golang.org/x/sys@latest` to verify access
+. **Use direct fallback**: If the proxy is blocked, the `,direct` suffix in `GOPROXY` enables direct downloads from source repositories
+. **Check runner logs**: Look for proxy connectivity verification in the "Verify Go environment and module access" step
+    For more details on the incident that led to these improvements, see issue #12894 (CI run #32917).
     ### Handling Dependabot PRs
     When reviewing Dependabot PRs:
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Prevent Go module download failures with explicit proxy configuration #12856

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!