In this tutorial I’ll use the fictional private repository called github.com/alexrios/superlib at the version v1.1.0
Backing story
During the Continuous integration pipeline executing go mod tidy I was getting this error:
go: github.com/alexrios/superlib@v1.1.0: reading github.com/alexrios/superlib/go.mod at revision v1.1.0: unknown revision v1.1.0
Why?
In order to understand how Go uses a VCS to handle dependencies I recommend this Go team blog post: https://blog.golang.org/publishing-go-modules
Solution
Generate a token with read permission on org or user repositories and setup a substitution in git global configurations.
That way the authenticated form will always be used.
I highly recommend you to use the repository secrets to avoid exposing sensible data, in this case, the token.
- name: Granting private modules access
run: |
git config --global url."https://${{ secrets.GO_MODULES_TOKEN }}:x-oauth-basic@github.com/alexrios".insteadOf "https://github.com/alexrios"
more on declaring and using secrets: https://help.github.com/pt/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets