sync(ci): add private Go module auth support to workflows (#290)

mrz1836 · web-flow · commit 25a152075f5f · 2026-03-04T15:05:50.000-05:00
diff --git a/.github/actions/setup-go-with-cache/action.yml b/.github/actions/setup-go-with-cache/action.yml
@@ -47,6 +47,10 @@ inputs:
     description: "Enable multi-module mode - uses pattern **/go.sum to hash all go.sum files for cache keys, skips root go.sum validation"
     required: false
     default: "false"
+  github-token:
+    description: "GitHub token for private module authentication (only used when GOPRIVATE is set in environment)"
+    required: false
+    default: ""
 
 outputs:
   go-version-actual:
@@ -443,6 +447,32 @@ runs:
         go-version: ${{ inputs.go-version }}
         cache: false # we handle caches ourselves
 
+    # --------------------------------------------------------------------
+    # Configure git authentication for private Go modules (conditional)
+    # Only runs when GOPRIVATE is set AND a github-token is provided
+    # --------------------------------------------------------------------
+    - name: 🔐 Configure private module authentication
+      if: ${{ inputs.github-token != '' && env.GOPRIVATE != '' }}
+      shell: bash
+      run: |
+        echo "🔐 Configuring git authentication for private Go modules..."
+        echo "📋 GOPRIVATE=$GOPRIVATE"
+
+        # Configure git to use the token for HTTPS URLs
+        git config --global url."https://x-access-token:${{ inputs.github-token }}@github.com/".insteadOf "https://github.com/"
+
+        # Set GONOSUMCHECK to match GOPRIVATE if not explicitly set
+        if [ -z "$GONOSUMCHECK" ]; then
+          echo "GONOSUMCHECK=$GOPRIVATE" >> $GITHUB_ENV
+        fi
+
+        # Set GONOSUMDB to match GOPRIVATE if not explicitly set
+        if [ -z "$GONOSUMDB" ]; then
+          echo "GONOSUMDB=$GOPRIVATE" >> $GITHUB_ENV
+        fi
+
+        echo "✅ Private module authentication configured"
+
     # --------------------------------------------------------------------
     # Summary and validation
     # --------------------------------------------------------------------
diff --git a/.github/actions/warm-cache/action.yml b/.github/actions/warm-cache/action.yml
@@ -53,6 +53,10 @@ inputs:
     description: "Enable multi-module mode - uses hash of all go.sum files for cache keys"
     required: false
     default: "false"
+  github-token:
+    description: "GitHub token for private module authentication (only used when GOPRIVATE is set)"
+    required: false
+    default: ""
 
 runs:
   using: "composite"
@@ -96,6 +100,7 @@ runs:
         go-secondary-version: ${{ inputs.go-secondary-version }}
         go-sum-file: ${{ inputs.go-sum-file }}
         enable-multi-module: ${{ inputs.enable-multi-module }}
+        github-token: ${{ inputs.github-token }}
 
     # ────────────────────────────────────────────────────────────────────────────
     # Setup MAGE-X (required for magex commands in cache warming)
diff --git a/.github/env/00-core.env b/.github/env/00-core.env
@@ -41,6 +41,13 @@ GO_SUM_FILE=go.sum
 # Multi-module monorepo support
 ENABLE_MULTI_MODULE_TESTING=false
 
+# Private Go module support (opt-in)
+# Set GOPRIVATE in 90-project.env to enable private module authentication
+# Example: github.com/myorg/*,github.com/otherorg/*
+GOPRIVATE=
+GONOSUMCHECK=
+GONOSUMDB=
+
 # ================================================================================================
 # 🖥️ RUNNER CONFIGURATION
 # ================================================================================================
diff --git a/.github/workflows/fortress-benchmarks.yml b/.github/workflows/fortress-benchmarks.yml
@@ -144,6 +144,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-secondary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
diff --git a/.github/workflows/fortress-code-quality.yml b/.github/workflows/fortress-code-quality.yml
@@ -94,6 +94,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ env.GO_SUM_FILE }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
@@ -316,6 +317,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ env.GO_SUM_FILE }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
@@ -596,6 +598,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ env.GO_SUM_FILE }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
diff --git a/.github/workflows/fortress-coverage.yml b/.github/workflows/fortress-coverage.yml
@@ -176,6 +176,7 @@ jobs:
           go-secondary-version: ${{ env.GO_SECONDARY_VERSION }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
diff --git a/.github/workflows/fortress-pre-commit.yml b/.github/workflows/fortress-pre-commit.yml
@@ -33,6 +33,10 @@ on:
         description: "Path to go.sum file for dependency verification"
         required: true
         type: string
+    secrets:
+      github-token:
+        description: "GitHub token for private module authentication (optional, only needed when GOPRIVATE is set)"
+        required: false
     outputs:
       pre-commit-version:
         description: "Version of go-pre-commit used"
@@ -87,6 +91,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ env.GO_SUM_FILE }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
diff --git a/.github/workflows/fortress-release.yml b/.github/workflows/fortress-release.yml
@@ -91,6 +91,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Validate version tag format
diff --git a/.github/workflows/fortress-security-scans.yml b/.github/workflows/fortress-security-scans.yml
@@ -99,6 +99,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
@@ -297,6 +298,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
diff --git a/.github/workflows/fortress-setup-config.yml b/.github/workflows/fortress-setup-config.yml
@@ -568,6 +568,13 @@ jobs:
           echo "| **Features** | $ENABLED_FEATURES enabled · $DISABLED_FEATURES disabled |" >> $GITHUB_STEP_SUMMARY
           echo "| **Test Matrix** | $MATRIX_COUNT combinations |" >> $GITHUB_STEP_SUMMARY
           echo "| **Go Versions** | $(echo "$UNIQUE_GO_VERSIONS" | jq -r 'join(", ")') |" >> $GITHUB_STEP_SUMMARY
+
+          # Show private module status if GOPRIVATE is configured
+          GOPRIVATE_VAL=$(echo "$ENV_JSON" | jq -r '.GOPRIVATE // ""')
+          if [ -n "$GOPRIVATE_VAL" ]; then
+            echo "| **Private Modules** | \`$GOPRIVATE_VAL\` |" >> $GITHUB_STEP_SUMMARY
+          fi
+
           echo "" >> $GITHUB_STEP_SUMMARY
 
           # Fork PR Warning (if applicable) - this stays visible
diff --git a/.github/workflows/fortress-test-fuzz.yml b/.github/workflows/fortress-test-fuzz.yml
@@ -44,6 +44,10 @@ on:
         description: "Path to go.sum file for dependency verification"
         required: true
         type: string
+    secrets:
+      github-token:
+        description: "GitHub token for private module authentication (optional, only needed when GOPRIVATE is set)"
+        required: false
 
 # Security: Restrict default permissions (jobs must explicitly request what they need)
 permissions: {}
@@ -88,6 +92,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-secondary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
diff --git a/.github/workflows/fortress-test-matrix.yml b/.github/workflows/fortress-test-matrix.yml
@@ -97,6 +97,10 @@ on:
         description: "Path to go.sum file for dependency verification"
         required: true
         type: string
+    secrets:
+      github-token:
+        description: "GitHub token for private module authentication (optional, only needed when GOPRIVATE is set)"
+        required: false
 
 # Security: Restrict default permissions (jobs must explicitly request what they need)
 permissions: {}
@@ -151,6 +155,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-secondary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
diff --git a/.github/workflows/fortress-test-suite.yml b/.github/workflows/fortress-test-suite.yml
@@ -145,6 +145,8 @@ jobs:
       redis-health-timeout: ${{ inputs.redis-health-timeout }}
       redis-trust-service-health: ${{ inputs.redis-trust-service-health }}
       go-sum-file: ${{ inputs.go-sum-file }}
+    secrets:
+      github-token: ${{ secrets.github-token }}
 
   # ----------------------------------------------------------------------------------
   # Fuzz Testing Execution (Primary platform only)
@@ -162,6 +164,8 @@ jobs:
       go-secondary-version: ${{ inputs.go-secondary-version }}
       fuzz-testing-enabled: ${{ inputs.fuzz-testing-enabled }}
       go-sum-file: ${{ inputs.go-sum-file }}
+    secrets:
+      github-token: ${{ secrets.github-token }}
 
   # ----------------------------------------------------------------------------------
   # Test Results Validation (Aggregate all test results)
diff --git a/.github/workflows/fortress-warm-cache.yml b/.github/workflows/fortress-warm-cache.yml
@@ -48,6 +48,10 @@ on:
         description: "Path to go.sum file for dependency verification"
         required: true
         type: string
+    secrets:
+      github-token:
+        description: "GitHub token for private module authentication (optional, only needed when GOPRIVATE is set)"
+        required: false
 
 # Security: Restrict default permissions (jobs must explicitly request what they need)
 permissions: {}
@@ -153,3 +157,4 @@ jobs:
           redis-cache-force-pull: ${{ inputs.redis-cache-force-pull }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ steps.extract.outputs.enable_multi_module }}
+          github-token: ${{ secrets.github-token }}
diff --git a/.github/workflows/fortress.yml b/.github/workflows/fortress.yml
@@ -30,8 +30,10 @@
 #  This workflow intelligently handles fork PRs by detecting fork status during setup
 #  and conditionally skipping jobs that require repository secrets. Jobs are categorized:
 #
-#  FORK-SAFE (Always run - no secrets required):
+#  FORK-SAFE (Always run - secrets optional for private module auth):
 #    ✅ setup, test-magex, warm-cache, code-quality, pre-commit, benchmarks, status-check
+#    Note: These jobs receive github-token for private Go module authentication (GOPRIVATE).
+#    On fork PRs, private module auth is skipped but jobs still run for public dependencies.
 #
 #  FORK-UNSAFE (Skipped on fork PRs - require secrets):
 #    ⛔ security (OSSI_TOKEN, OSSI_USERNAME, GITLEAKS_LICENSE)
@@ -116,7 +118,7 @@ jobs:
       env-file-count: ${{ needs.load-env.outputs.env-file-count }}
       var-count: ${{ needs.load-env.outputs.var-count }}
     secrets:
-      github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
+      github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }}
   # ----------------------------------------------------------------------------------
   # Test MAGE-X
   # ----------------------------------------------------------------------------------
@@ -130,7 +132,7 @@ jobs:
       env-json: ${{ needs.load-env.outputs.env-json }}
       primary-runner: ${{ needs.setup.outputs.primary-runner }}
   # ----------------------------------------------------------------------------------
-  # Warm Go Caches (FORK-SAFE: No secrets required)
+  # Warm Go Caches (Secrets optional: only needed when GOPRIVATE is set for private modules)
   # ----------------------------------------------------------------------------------
   warm-cache:
     name: 💾 Warm Cache
@@ -148,6 +150,8 @@ jobs:
       redis-version: ${{ needs.setup.outputs.redis-version }}
       redis-cache-force-pull: ${{ needs.setup.outputs.redis-cache-force-pull }}
       go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
+    secrets:
+      github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }}
   # ----------------------------------------------------------------------------------
   # Security Scans (FORK-UNSAFE: Requires secrets - skipped on fork PRs)
   # ----------------------------------------------------------------------------------
@@ -173,12 +177,12 @@ jobs:
       primary-runner: ${{ needs.setup.outputs.primary-runner }}
       go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
     secrets:
-      github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
+      github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }}
       gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }}
       ossi-token: ${{ secrets.OSSI_TOKEN }}
       ossi-username: ${{ secrets.OSSI_USERNAME }}
   # ----------------------------------------------------------------------------------
-  # Pre-commit Checks (FORK-SAFE: No secrets required)
+  # Pre-commit Checks (Secrets optional: only needed when GOPRIVATE is set for private modules)
   # ----------------------------------------------------------------------------------
   pre-commit:
     name: 🪝 Pre-commit Checks
@@ -198,8 +202,10 @@ jobs:
       go-primary-version: ${{ needs.setup.outputs.go-primary-version }}
       pre-commit-enabled: ${{ needs.setup.outputs.pre-commit-enabled }}
       go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
+    secrets:
+      github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }}
   # ----------------------------------------------------------------------------------
-  # Code Quality Checks (FORK-SAFE: No secrets required)
+  # Code Quality Checks (Secrets optional: only needed when GOPRIVATE is set for private modules)
   # ----------------------------------------------------------------------------------
   code-quality:
     name: 📊 Code Quality
@@ -221,7 +227,7 @@ jobs:
       static-analysis-enabled: ${{ needs.setup.outputs.static-analysis-enabled }}
       go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
     secrets:
-      github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
+      github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }}
   # ----------------------------------------------------------------------------------
   # Test Suite (FORK-UNSAFE: Requires CODECOV_TOKEN for coverage - skipped on fork PRs)
   # ----------------------------------------------------------------------------------
@@ -264,10 +270,10 @@ jobs:
       redis-trust-service-health: ${{ needs.setup.outputs.redis-trust-service-health }}
       go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
     secrets:
-      github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
+      github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }}
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   # ----------------------------------------------------------------------------------
-  # Benchmark Suite (FORK-SAFE: No secrets required)
+  # Benchmark Suite (Secrets optional: only needed when GOPRIVATE is set for private modules)
   # ----------------------------------------------------------------------------------
   benchmarks:
     name: 🏃 Benchmarks
@@ -298,7 +304,7 @@ jobs:
       redis-trust-service-health: ${{ needs.setup.outputs.redis-trust-service-health }}
       go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
     secrets:
-      github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
+      github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }}
   # ----------------------------------------------------------------------------------
   # Final Status Check
   # ----------------------------------------------------------------------------------
@@ -492,7 +498,7 @@ jobs:
       golangci-lint-version: ${{ needs.code-quality.outputs.golangci-lint-version }}
       go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
     secrets:
-      github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
+      github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }}
       slack-webhook: ${{ secrets.SLACK_WEBHOOK || '' }}
     permissions:
       contents: write # Required: goreleaser needs to create GitHub releases
