Skip to content
Latchkey

Go "403 fetching private module" - Fix in CI

Private modules need both routing (skip the public proxy/sumdb) and credentials. A 403 means either the request hit the public proxy for a private path, or git auth was not supplied.

What this error means

A fetch fails with reading ... 403 Forbidden for a private repo. GOPRIVATE is unset, or there are no credentials for the host.

go
go: git.acme.com/team/lib@v1.0.0: reading https://proxy.golang.org/...: 403 Forbidden

Common causes

GOPRIVATE not set

The private path was routed through the public proxy and sumdb, which return 403.

No credentials for the host

There is no token in netrc or git config to authenticate the private fetch.

How to fix it

Set GOPRIVATE and provide a token

  1. Mark the private prefix so Go skips the public proxy and sumdb.
  2. Write a netrc with a token for the host.
.github/workflows/ci.yml
env:
  GOPRIVATE: git.acme.com/*
- run: |
    echo "machine git.acme.com login x password ${{ secrets.GIT_TOKEN }}" > ~/.netrc
    chmod 600 ~/.netrc

Rewrite to authenticated HTTPS

  1. Force git to use a token-bearing URL for the host.
shell
git config --global url."https://x:${TOKEN}@git.acme.com/".insteadOf "https://git.acme.com/"

How to prevent it

  • Set GOPRIVATE for every private prefix.
  • Provide host credentials via netrc or a git insteadOf rule.
  • Keep tokens in CI secrets, never in committed config.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →