Skip to content

Prevent Go module download failures with explicit proxy configuration#12856

Closed
Copilot wants to merge 5 commits intomainfrom
copilot/investigate-ci-failure-32917
Closed

Prevent Go module download failures with explicit proxy configuration#12856
Copilot wants to merge 5 commits intomainfrom
copilot/investigate-ci-failure-32917

Conversation

Copy link
Contributor

Copilot AI commented Jan 31, 2026
edited
Loading

CI run #32917 failed when proxy.golang.org returned 403 Forbidden for all module downloads. Without explicit configuration, Go runners can incorrectly treat public modules as private or fail when the proxy is unavailable.

Changes

Environment variables added to all Go workflows:

env:
  GOPROXY: https://proxy.golang.org,direct  # Fallback to direct downloads
  GOPRIVATE: ""                              # No modules are private
  GONOPROXY: ""                              # All use proxy or fallback
  GOSUMDB: sum.golang.org                    # Maintain integrity checks

Pre-test verification in ci.yml:

  • Reports environment configuration to job summary
  • Tests proxy connectivity with go list -m golang.org/x/sys@latest
  • Fails fast with diagnostic output if proxy unreachable

Affected workflows:

  • ci.yml (test, integration jobs)
  • integration-agentics.yml
  • format-and-commit.yml
  • security-scan.yml (gosec, govulncheck jobs)
  • license-check.yml

Documentation in CONTRIBUTING.md:

  • Explains proxy configuration rationale
  • Troubleshooting guide for module download failures
Original prompt

This section details on the original issue you should resolve

<issue_title>[CI Failure Doctor] CI Failure Investigation - Run #32917</issue_title>
<issue_description># 🏥 CI Failure Investigation - Run githubnext/gh-aw#32917

Summary

The unit test job in run 32917 failed immediately because go test could not download any of the required modules; every (proxy.golang.org/redacted) request returned 403 Forbidden`, so the build never started.

Failure Details

Root Cause Analysis

The go test command pulls dependencies directly through proxy.golang.org. In this environment the proxy replies with 403 Forbidden for every module (e.g., github.com/charmbracelet/huh@v0.8.0, github.com/cli/go-gh/v2@v2.13.0, github.com/fsnotify/fsnotify@v1.9.0, github.com/charmbracelet/bubbles@v0.21.1-0.20250623..., golang.org/x/term@v0.39.0, etc.). Without those downloads the compilation/setup of cmd/gh-aw and the internal tools fails, so the unit test job exits with Process completed with exit code 1 before any tests actually run.

Failed Jobs and Errors

  • test (ubuntu-latest): Set -o pipefail && go test ... → multiple Get "(proxy.golang.org/redacted) Forbidden errors, so module download and build fail before tests execute.

Investigation Findings

  • The output shows the Go toolchain attempted to download numerous dependencies (networking, console, workflow, parser packages) and each attempt hit a 403 response from proxy.golang.org.
  • Because the modules listed are public, the most probable upstream cause is that the runner treats the module path as private (e.g., due to GOPRIVATE/GONOPROXY settings) or the proxy access policy disallows the request, so the proxy refuses to serve the zipped modules.

Recommended Actions

  • Confirm the runner’s Go environment variables: verify GOPRIVATE, GONOPROXY, and GOSUMDB are not inadvertently covering public modules (e.g., github.com/...), and ensure GOPROXY=(proxy.golang.org/redacted),direct is allowed from the runner.
  • If the proxy really is blocked or requires credentials, switch to a permitted mirror or GOPROXY=direct so the modules can be fetched directly from GitHub.
  • Consider caching the modules (via setup-go cache) so repeated downloads do not hit the forbidden gate.

Prevention Strategies

Document the expected Go proxy/mirror configuration for CI runners, and include a make test-unit run in a clean environment before landing commits to catch missing proxy permissions earlier.

AI Team Self-Improvement

When investigating test failures caused by Go module downloads, always (1) check for 403 Forbidden responses from proxy.golang.org, (2) verify GOPRIVATE/GONOPROXY settings, and (3) try GOPROXY=direct locally to reproduce the failure before assuming the source code changed.

Historical Context

No prior occurrences were recorded for this run ID; the logs for run 32917 are the only observed failure of this signature so far.

AI generated by CI Failure Doctor

To add this workflow in your repository, run gh aw add githubnext/agentics/workflows/ci-doctor.md@ea350161ad5dcc9624cf510f134c6a9e39a6f94d. See usage guide.

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 4 commits January 31, 2026 02:58
@pelikhan
Initial plan for CI failure prevention
8f3edfd 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Add Go module proxy configuration to prevent 403 Forbidden errors
7fe8a19 
- Add explicit GOPROXY environment variables with direct fallback
- Set empty GOPRIVATE/GONOPROXY to ensure public modules aren't blocked
- Add module proxy connectivity verification step in test job
- Apply changes to ci.yml, integration-agentics.yml, format-and-commit.yml, security-scan.yml, and license-check.yml
- Addresses CI failure issue #32917 where proxy.golang.org returned 403 errors

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Document Go module proxy configuration in CONTRIBUTING.md
5370198 
Add comprehensive documentation about CI environment variables and troubleshooting
for Go module download failures. Explains why explicit GOPROXY configuration
prevents 403 Forbidden errors and lists all affected workflows.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Address code review feedback
126aad6 
- Change environment variable fallback display from '<not set>' to '<empty>'
- Revert accidental changes to auto-generated functional-programming-enhancer.lock.yml

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix CI failure due to module download issues Prevent Go module download failures with explicit proxy configuration Jan 31, 2026
Copilot AI requested a review from pelikhan January 31, 2026 03:06
@pelikhan pelikhan marked this pull request as ready for review January 31, 2026 03:50
Copilot AI mentioned this pull request Jan 31, 2026
Closed
@pelikhan pelikhan closed this Jan 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[CI Failure Doctor] CI Failure Investigation - Run #32917

2 participants

@pelikhan