Problem
There is no dedicated guidance on how to configure Go module and build caching in Agentic Workflows in a security-conscious way. The relevant information is currently spread across several reference pages (frontmatter.md, sandbox.md, cache-memory.md) with no Go-specific caching example.
The gap becomes visible when a workflow uses the cache: frontmatter field or a jobs.setup pre-build step to cache ~/go/pkg/mod and ~/.cache/go-build — there are real security trade-offs here that aren't covered today:
- Cache poisoning: a cached Go module tarball is not re-verified against the checksum database (
GONOSUMCHECK, GONOSUMDB) on restore.
GOMODCACHE vs GOCACHE scope: caching the module download cache and the build cache have different risk profiles; mixing both in one actions/cache entry is common but worth calling out.- Integrity interplay: when a workflow uses
tools.github.min-integrity, should the Go module cache be scoped to the same integrity level? The current docs don't address this.
- Writable paths in the sandbox: as noted in the smoke-copilot fixture, the default
GOCACHE/GOMODCACHE locations may not be writable inside the AWF sandbox, requiring GOCACHE=/tmp/go-cache GOMODCACHE=/tmp/go-mod — but this isn't documented for end-users.
Requested documentation
A dedicated section or guide covering:
- Recommended
cache: frontmatter for Go — which paths to include, recommended key structure (go-${{ hashFiles('go.sum') }}), and restore-key fallback strategy.
actions/setup-go built-in cache option — whether cache: true on the runtime setup action is supported and safe in the AWF context.- Go cache paths in the AWF sandbox — clarify whether
~/go/pkg/mod and ~/.cache/go-build are writable, and when to redirect via GOCACHE/GOMODCACHE env vars.
- Security considerations — checksum verification on restore, risks of sharing a module cache across branches/PRs of differing integrity, and recommended mitigations.
jobs.setup pre-build pattern for Go — a concrete example analogous to the Gradle example in sandbox.md (line 287).
Context
- Discovered while exploring the
cache: field in .github/workflows/prompt-clustering-analysis.md.
- Current docs:
reference/frontmatter.md (§ Cache Configuration), reference/sandbox.md (§ Caching section), reference/cache-memory.md, reference/supported-languages.md.
🤖 Created by Claude Code
Problem
There is no dedicated guidance on how to configure Go module and build caching in Agentic Workflows in a security-conscious way. The relevant information is currently spread across several reference pages (
frontmatter.md,sandbox.md,cache-memory.md) with no Go-specific caching example.The gap becomes visible when a workflow uses the
cache:frontmatter field or ajobs.setuppre-build step to cache~/go/pkg/modand~/.cache/go-build— there are real security trade-offs here that aren't covered today:GONOSUMCHECK,GONOSUMDB) on restore.GOMODCACHEvsGOCACHEscope: caching the module download cache and the build cache have different risk profiles; mixing both in oneactions/cacheentry is common but worth calling out.tools.github.min-integrity, should the Go module cache be scoped to the same integrity level? The current docs don't address this.GOCACHE/GOMODCACHElocations may not be writable inside the AWF sandbox, requiringGOCACHE=/tmp/go-cache GOMODCACHE=/tmp/go-mod— but this isn't documented for end-users.Requested documentation
A dedicated section or guide covering:
cache:frontmatter for Go — which paths to include, recommended key structure (go-${{ hashFiles('go.sum') }}), and restore-key fallback strategy.actions/setup-gobuilt-in cache option — whethercache: trueon the runtime setup action is supported and safe in the AWF context.~/go/pkg/modand~/.cache/go-buildare writable, and when to redirect viaGOCACHE/GOMODCACHEenv vars.jobs.setuppre-build pattern for Go — a concrete example analogous to the Gradle example insandbox.md(line 287).Context
cache:field in.github/workflows/prompt-clustering-analysis.md.reference/frontmatter.md(§ Cache Configuration),reference/sandbox.md(§ Caching section),reference/cache-memory.md,reference/supported-languages.md.🤖 Created by Claude Code