Add go mod download step to CI jobs to fix proxy.golang.org 403 errors

[Copilot]

CI test and integration jobs were failing because go test attempted to download modules during execution, hitting 403 Forbidden from proxy.golang.org. The Go module proxy requires dependencies to be explicitly downloaded first when cache is cold.

Changes

Added go mod download step before go mod verify in all 10 Go-based CI jobs:

• test, integration (primary failures)
• update, bench, audit, actions-build, fuzz, security
• cross-platform-build, alpine-container-test

- name: Download dependencies
  run: go mod download

- name: Verify dependencies
  run: go mod verify

This ensures the module cache is populated upfront before any Go commands execute, preventing download attempts during test/build phases. Pattern already exists in format-and-commit.yml.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[CI Failure Doctor] 🏥 CI Failure Investigation - Run #33010</issue_title>
<issue_description>## Summary
CI test job fails because go test cannot download any modules from proxy.golang.org, so the suite aborts before any tests even run.

Failure Details

• Run: #33010
• Commit: 794e93a
• Trigger: push

Root Cause Analysis

go test -v -parallel=8 -timeout=3m -run='^Test' -tags '!integration' ./... hits repeated 403 Forbidden responses when contacting (proxy.golang.org/redacted) for every dependency (cli/go-gh/v2, charmbracelet bubbles/bubbletea/lipgloss/huh, fsnotify, etc.), so the module downloads never complete and the go command exits with setup failed.

Failed Jobs and Errors

• test (go test ...): fails before executing application code because each go: downloading ... request to proxy.golang.org ends with 403 Forbidden, so go cannot fetch needed modules.

Investigation Findings

• Running the exact go test command locally reproduces the same 403 errors (see attached logs) so this is not limited to the GitHub runner.
• All of the dependencies are public, so the 403 likely stems from a new network restriction, proxy policy, or missing credentials when contacting proxy.golang.org.

Recommended Actions

• Verify that the CI environment still has unrestricted access to (proxy.golang.org/redacted); update any firewall/proxy configuration if required.
• If the proxy requires credentials, configure GOPROXY, GONOSUMDB, or GONOSUMDB appropriately so go can authenticate.
• As a mitigation, consider vendoring the frequently used modules so that the build no longer depends on live downloads.

Prevention Strategies

Ensure Go can reach proxy.golang.org before running go test (e.g., `curl (proxy.golang.org/redacted) Add retries or cache the dependencies in the workflow if the external proxy is flaky.

AI Team Self-Improvement

Always confirm external dependency downloads succeed (proxy accessibility + credentials) before running CI commands that hit the network.

Historical Context

No previous investigation recorded for this 403 pattern on proxy.golang.org for January 2026 runs.

AI generated by CI Failure Doctor

To add this workflow in your repository, run gh aw add githubnext/agentics/workflows/ci-doctor.md@ea350161ad5dcc9624cf510f134c6a9e39a6f94d. See usage guide.

• expires on Feb 2, 2026, 3:36 PM UTC

Comments on the Issue (you are @copilot in this section)

@pelikhan Run go mod for that job before running

• Fixes [CI Failure Doctor] 🏥 CI Failure Investigation - Run #33010 #12958

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

🛡️ Security Posture Analysis

This PR contains changes that may affect the security posture. Please review the following concerns:

🟠 High: Network allowlist expanded

Location: .github/workflows/functional-enhancer.lock.yml:2090-2114

Change Detected:

```diff
-  GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
+  GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
```

Security Impact: The workflow now allows outbound network access to a much broader set of domains (Anthropic APIs, Node/Python package registries, Playwright/CDN hosts, etc.) rather than the previous Copilot- and GitHub-specific endpoints. This enlarges the external attack surface and increases the risk of data exfiltration or compromise via additional third-party endpoints.

Recommendation: Restrict the allowlist to only the domains strictly required for the new Claude pipeline, possibly by staging these changes under a separate workflow with tighter network controls and reviewing each added host for necessity.

---

Summary

Category	Severity	Count
Network	🟠 High	1

Note: This is an automated analysis. Please verify these findings and determine if the changes are intentional and justified.

AI generated by Security Guard Agent 🛡️