ci: retry go mod download on transient proxy.golang.org/GCS failures

[Aureliolo]

Why

The chore(main): release 0.8.8 push (commit e2a23707) failed because CLI Test (macos-latest) could not fetch github.com/klauspost/compress@v1.18.6 from proxy.golang.org:

github.com/klauspost/compress@v1.18.6: Get "https://storage.googleapis.com/proxy-golang-org-prod/...":
  dial tcp [2607:f8b0:4005:816::201b]:443: connect: no route to host

proxy.golang.org 307-redirects module ZIPs to GCS; the GCS hop occasionally fails at the TCP layer. These are NOT 404/410, so Go's built-in GOPROXY=...,direct fallback does not fire and the whole command aborts. Downstream, Finalize Release preflighted, saw CLI failure, and short-circuited (Triggering workflow failed; skipping), so v0.8.8 stayed in Draft until a manual rerun.

What

New composite .github/actions/go-mod-download-retry wraps go mod download -x in a retry loop with the project's standard posture (8 attempts, 15s base, 120s cap; ~10 min budget; matches cla.yml::gh_api_retry and the docker.yml cosign retry from #2100).

Wired into all 7 jobs in cli.yml (lint, test, build, bench, vuln, fuzz, release): one prefetch step after each setup-go. Once modules are on disk, the real go test / go build / go vet runs once with zero network traffic, so the retry can never mask a real test or build failure.

cli-vuln also got an inline retry around go install golang.org/x/vuln/cmd/govulncheck@v1.3.0, since govulncheck pulls a separate module graph not covered by the cli prefetch.

Scope verification

Only cli.yml runs Go commands across the entire .github/workflows/ tree (grep confirmed), so this fully closes the blast radius.

Tests

actionlint, yamllint, and zizmor all pass locally on both files. No runtime tests exist for workflow files; correctness is validated by the next push exercising every job.

Review

Pre-reviewed by infra-reviewer. One Minor finding (inline break vs composite exit 0 divergence) addressed in the second commit.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses intermittent CI failures caused by transient network issues when fetching Go modules from proxy.golang.org. By decoupling the module download process into a dedicated, retry-aware prefetch step, the changes ensure that build and test jobs are more resilient to temporary GCS connectivity blips without risking the masking of actual code-related failures.

Highlights

• New Composite Action: Introduced a reusable .github/actions/go-mod-download-retry action to handle transient network failures during Go module downloads.
• Retry Logic: Implemented a robust retry mechanism with exponential backoff (8 attempts, 15s base, 120s cap) to specifically target network-related issues during the prefetch phase.
• Workflow Integration: Updated the primary CI workflow to use this prefetch step, ensuring subsequent build and test commands operate on a local cache, thus avoiding masked test failures.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/cli.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 421f1607-66f4-459f-b338-02ec7ba61ef2

📥 Commits

Reviewing files that changed from the base of the PR and between b571989 and b74da53.

📒 Files selected for processing (1)

• .github/actions/go-mod-download-retry/action.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (25)

• GitHub Check: Socket Security: Pull Request Alerts
• GitHub Check: Socket Security: Project Report
• GitHub Check: Test Unit (shard 4)
• GitHub Check: Test Unit (shard 1)
• GitHub Check: Test Unit (shard 3)
• GitHub Check: Test Unit (shard 2)
• GitHub Check: Test E2E
• GitHub Check: Dashboard Lint
• GitHub Check: Schema Validation
• GitHub Check: Dashboard Security Audit
• GitHub Check: Test Integration (shard 4)
• GitHub Check: Dashboard Storybook Build
• GitHub Check: Export OpenAPI Schema
• GitHub Check: Test Conformance (SQLite)
• GitHub Check: Test Integration (shard 3)
• GitHub Check: Test Integration (shard 2)
• GitHub Check: Test Integration (shard 1)
• GitHub Check: Type Check
• GitHub Check: Lint
• GitHub Check: Runtime Stats Freshness Gate
• GitHub Check: Build Preview
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (actions)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

.github/actions/go-mod-download-retry/action.yml (1)

64-70: LGTM!

---

Walkthrough

This PR adds resilient Go module download handling to the CLI build pipeline. A new composite GitHub Action (.github/actions/go-mod-download-retry/action.yml) implements go mod download with bounded exponential backoff retry on transient failures. The action accepts configurable inputs for maximum attempts (default 8), base delay (default 15s), and maximum delay cap (default 120s). The CLI workflow (.github/workflows/cli.yml) integrates this action across seven jobs (cli-lint, cli-test, cli-build, cli-bench, cli-fuzz, cli-release, and cli-vuln), running it immediately after Go setup. The cli-vuln job additionally replaces its plain go install of govulncheck with custom inline retry logic using the same exponential backoff strategy before executing vulnerability checks.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding retry logic for go mod download failures from proxy.golang.org/GCS.
Description check	✅ Passed	The description comprehensively explains the problem, solution, scope, and validation, all directly related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[gemini-code-assist]

Code Review

This pull request introduces a new GitHub Composite Action, go-mod-download-retry, which wraps the go mod download command with a bounded exponential-with-cap retry mechanism. This action aims to prevent job failures caused by transient network issues during module fetching from proxy.golang.org by implementing a dedicated prefetch step with configurable retry parameters. I have no feedback to provide.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/go-mod-download-retry/action.yml:
- Around line 64-74: The retry loop must capture the exit code of the "go mod
download -x" command immediately instead of relying on the if compound's return;
after running "go mod download -x" store its exit status into rc (rc=$?) and
then test rc (e.g., if [ "$rc" -eq 0 ]; then ...) to decide success and print
the notice, otherwise use rc for the failure handling and final exit; adjust
references to attempt and MAX_ATTEMPTS accordingly so the logic and messages
(echo ::notice::..., echo ::error::..., exit "$rc") remain the same but use the
captured rc.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d30d2a51-ead9-4024-9118-ad3278c0bd47

📥 Commits

Reviewing files that changed from the base of the PR and between e2a2370 and b571989.

📒 Files selected for processing (2)

• .github/actions/go-mod-download-retry/action.yml
• .github/workflows/cli.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (22)

• GitHub Check: Test Integration (shard 1)
• GitHub Check: Test Integration (shard 2)
• GitHub Check: Test Integration (shard 3)
• GitHub Check: Test Unit (shard 3)
• GitHub Check: Test Integration (shard 4)
• GitHub Check: Test Unit (shard 1)
• GitHub Check: Test Unit (shard 4)
• GitHub Check: Test Conformance (SQLite)
• GitHub Check: Dashboard Storybook Build
• GitHub Check: Test Unit (shard 2)
• GitHub Check: Runtime Stats Freshness Gate
• GitHub Check: Lint
• GitHub Check: Dashboard Lint
• GitHub Check: Test E2E
• GitHub Check: Schema Validation
• GitHub Check: OpenAPI Liveness
• GitHub Check: Type Check
• GitHub Check: Build Preview
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (actions)
• GitHub Check: Analyze (go)

🔇 Additional comments (2)

.github/workflows/cli.yml (2)

68-70: LGTM!

Also applies to: 105-107, 143-145, 222-224, 250-252, 321-323, 444-446

---

271-280: ⚡ Quick win

No fix needed: retry loop already captures govulncheck install exit code correctly.

rc=$? is assigned immediately after the if go install ...; then ... fi, with no intervening commands, and the success path exits 0—so terminal failure will reliably use the failed go install’s exit code.

			> Likely an incorrect or invalid review comment.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.12%. Comparing base (e2a2370) to head (b74da53).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2102      +/-   ##
==========================================
- Coverage   87.13%   87.12%   -0.01%     
==========================================
  Files        2251     2251              
  Lines      130311   130311              
==========================================
- Hits       113540   113538       -2     
- Misses      16756    16758       +2     
  Partials       15       15              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.