[ci-coach] ci: skip go mod download on cache hit for 9 jobs

[github-actions]

Summary

9 jobs in ci.yml were unconditionally running go mod download even when the Go module cache was warm. This adds the if: steps.setup-go.outputs.cache-hit != 'true' guard (already present in test and integration jobs) to the remaining jobs.

Optimization

Skip redundant module downloads on cache hit

Type: Resource / Cache Optimization
Impact: ~10–30s per job saved when cache is warm
Risk: Low — skipping is safe; go mod verify still runs unconditionally to ensure cache integrity
Jobs updated: update, build-wasm, bench, audit, actions-build, security, security-scan, cross-platform, alpine-container-test

Rationale: When actions/setup-go reports a cache hit, all Go modules are already present locally. Running go mod download in this case is a no-op that still takes 10–30s of network verification time. With 7 of these jobs running on every PR, this saves ~1–3 minutes of total compute per run on warm caches (the typical case after the first run).

go mod verify is intentionally left unconditional — it's fast and ensures cache integrity without network access.

Changed jobs

Job	Runs on	Note
update	All events
build-wasm	All events	Also has -x verbose flag
audit	All events
actions-build	All events
security	All events
cross-platform	All events	macOS + Windows matrix
alpine-container-test	All events
bench	main only
security-scan	main only	No go mod verify step

Metrics Baseline

• Total runs analyzed: 100
• Success rate: 53%
• Average successful run duration: ~4 min
• Cache guard already present in: test, integration, fuzz jobs

Validation

✅ YAML syntax valid (python3 -c "import yaml; yaml.safe_load(...)")
✅ All 12 Download dependencies with retry steps now have the cache guard

---

Proposed by CI Coach workflow run #125

---

Warning

Protected Files — Push Permission Denied

This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.

Protected files

• .github/workflows/ci.yml

The push was rejected because GitHub Actions does not have workflows permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.

Create the pull request manually

# Download the patch from the workflow run
gh run download 23948079975 -n agent -D /tmp/agent-23948079975

# Create a new branch
git checkout -b ci-coach/skip-module-download-on-cache-hit-076c626073e6d065 main

# Apply the patch (--3way handles cross-repo patches)
git am --3way /tmp/agent-23948079975/aw-ci-coach-skip-module-download-on-cache-hit.patch

# Push the branch and create the pull request
git push origin ci-coach/skip-module-download-on-cache-hit-076c626073e6d065
gh pr create --title '[ci-coach] ci: skip go mod download on cache hit for 9 jobs' --base main --head ci-coach/skip-module-download-on-cache-hit-076c626073e6d065 --repo github/gh-aw

Generated by CI Optimization Coach · ● 3.2M · ◷

• expires on Apr 5, 2026, 1:50 PM UTC