Add Go module caching and retry logic to prevent proxy 403 failures

[Copilot]

CI run #33219 failed when proxy.golang.org returned 403 Forbidden for all module downloads. This external network issue blocked all Go jobs despite setup-go@v6's built-in caching.

Changes

Redundant caching layer

• Added explicit actions/cache@v4 for ~/go/pkg/mod and ~/.cache/go-build
• Cache key: ${{ runner.os }}-go-modules-${{ hashFiles('**/go.sum') }}

Retry logic for transient failures

for i in $(seq 1 $MAX_RETRIES); do
  if go mod download; then
    echo "✅ Successfully downloaded Go modules"
    break
  else
    if [ $i -eq $MAX_RETRIES ]; then
      echo "❌ Failed after $MAX_RETRIES attempts"
      echo "This may indicate that proxy.golang.org is unreachable"
      exit 1
    fi
    sleep $RETRY_DELAY
  fi
done

Jobs updated (11)

• Core: test, integration, update, bench, audit, security
• Build: actions-build, cross-platform-build, alpine-container-test
• Security: security-scan, fuzz

This provides proxy outage resilience without requiring vendored dependencies.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[CI Failure Doctor] CI Failure Investigation - Run #33219</issue_title>
<issue_description># 🏥 CI Failure Investigation - Run githubnext/gh-aw#33219

Summary

Go test in the test job failed because every dependency download from proxy.golang.org returned 403 Forbidden, so the packages could not be built and the test suite aborted.

Failure Details

• Run: 21566725266
• Commit: 68385cc
• Trigger: push

Root Cause Analysis

The Go toolchain attempted to download multiple dependencies (e.g., github.com/charmbracelet/bubbles, github.com/cli/go-gh/v2, golang.org/x/term, etc.) and each go command hit (proxy.golang.org/redacted) and immediately received 403 Forbidden, so no modules were available and every package reported setup failed before tests could run.

Failed Jobs and Errors

• test: go test -v -parallel=8 ... ./... failed because each package’s setup failed log entry corresponded to a Get "(proxy.golang.org/redacted) Forbidden error for its dependencies.

Investigation Findings

Logs show consistent Forbidden responses from the Go proxy for every dependency the repo imports, so the failure is an external network/access issue rather than a code regression.

Recommended Actions

• Ensure the CI runner can reach (proxy.golang.org/redacted) (e.g., whitelist it, provide proper credentials, or use a reachable GOPROXY).
• Cache or vendor critical Go modules so tests can run even if external downloads are blocked.
• Monitor for proxy HTTP 403s before running the test job so the failure surface happens earlier.

Prevention Strategies

Document the required outbound network access for Go module downloads and invest in a reproducible module cache to prevent transient proxy blocks from failing the entire suite.

AI Team Self-Improvement

Before running go test, verify that dependency downloads are allowed and update instructions to mention that proxy.golang.org must be reachable or that vendoring is required.

Historical Context

Similar failures have occurred when the Go proxy is blocked (every setup failed report shows Forbidden), so this looks like a recurring network restriction rather than a new code issue.

AI generated by CI Failure Doctor

To add this workflow in your repository, run gh aw add githubnext/agentics/workflows/ci-doctor.md@ea350161ad5dcc9624cf510f134c6a9e39a6f94d. See usage guide.

• expires on Feb 3, 2026, 5:13 PM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes [CI Failure Doctor] CI Failure Investigation - Run #33219 #13146

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.