- Chain pain: a single regional mirror times out, yet your pipeline never reaches the fallback because the first hop is mis-ordered or missing a terminal
directpolicy. - Private leakage pain: corporate modules are sent through a public GOPROXY because
GOPRIVATEandGONOPROXYpatterns do not cover vanity import paths. - Cache contention pain: shared runners point
GOMODCACHEat a spinning disk or a global folder without pruning, so coldgo testruns thrash IO and corrupt lock steps.
① Decision matrix: self-hosted module proxy versus public GOPROXY chains
Use this before you edit launchd, profiles, or CI YAML. Aim for predictable latency and checksum discipline—not whichever mirror answered first.
| Approach | Best when | Watch-outs on remote Mac CI |
|---|---|---|
| Self-hosted Athens or similar | You need air-gapped caching, custom go.env defaults, or storage of approved module zip snapshots for compliance reviews |
You own disk quotas, TLS, backups; plan standby or DNS swap for proxy failure |
| Public chain (corp mirror, regional mirror, proxy.golang.org, direct) | Teams want low ops overhead and can tolerate upstream dependency on global infrastructure plus your egress policy | Order hops by compliant latency; add direct last only if VCS fetch is allowed |
| Hybrid | Public modules use a chain while GOPRIVATE modules hit internal Git or an internal proxy segment |
Match GONOPROXY to every private prefix; keep Git DNS consistent on all runners |
NVMe-local GOMODCACHE helps Apple Silicon runners; tiny zip fetches are rarely CPU-bound.
② Environment parameter table: GOPROXY, privacy, sumdb, and cache dirs
Set these per job, pool, or repo. Adjust paths; keep secrets out of logs.
| Variable | Role | Example or pattern |
|---|---|---|
GOPROXY |
Ordered list of module proxies; tries each until success | https://corp-go,https://mirror.example,direct |
GOPRIVATE |
Prefixes that skip the public sumdb and proxy behavior for privacy | github.com/myorg/*,*.corp.example |
GONOPROXY |
Prefixes that should never use GOPROXY entries |
Often aligned with GOPRIVATE for internal Git hosts |
GONOSUMDB |
Prefixes exempt from checksum database lookups | Private modules where sumdb is impossible or disallowed |
GOSUMDB |
Checksum database for public modules; use off only with governance |
Default sum.golang.org or internal sum service URL |
GOMODCACHE |
Stores downloaded module source and zip artifacts | /usr/local/ci/gomod-shared or per-job under /tmp |
GOPATH (legacy mode) |
Still influences workspace when not using modules exclusively | Keep distinct from GOMODCACHE to avoid surprise collisions |
GOFLAGS |
Global flags such as -mod=readonly for CI reproducibility |
-mod=readonly paired with committed go.sum |
Also on MacPull: uv / PyPI CI matrix and Cargo mirror matrix.
③ Executable setup: five steps for reproducible Go pulls
go version across runners so go.sum and -mod=readonly stay stable.GOPRIVATE and GONOPROXY, then go env GOPRIVATE GONOPROXY in the CI shell.proxy.golang.org or direct as policy allows.GOSUMDB for public code; if you use off, document approval with the workflow.GOMODCACHE at fast local disk; split pools if regulated code mixes with public deps; prune in maintenance windows.Example exports you can paste into a CI prelude after paths are adjusted:
export GOPROXY="https://corp-go.example.com,https://proxy.golang.org,direct" export GOPRIVATE="github.com/myorg/*,go.corp.example/*" export GONOPROXY="github.com/myorg/*,go.corp.example/*" export GOSUMDB="sum.golang.org" export GOMODCACHE="/usr/local/ci/gomodcache" export GOFLAGS="-mod=readonly"
Validate with go env | grep -E 'GOPROXY|GOPRIVATE|GOSUMDB|GOMODCACHE' and go list -m all before heavy tests.
④ Citable checklist: numbers and policies to quote in design docs
First-hop latency dominates when many micro-modules resolve—benchmark TTFB to each proxy before upsizing CPU.
GOFLAGS=-mod=readonly blocks accidental tidy edits mid-PR in regulated pipelines.
Disk headroom: size GOMODCACHE with images and other caches so parallel jobs do not fill the root volume.
Summary
Choose self-hosted proxies for owned storage, zip audit, or outage buffers; use a public GOPROXY chain when ops is thin and egress allows it. Pair GOPRIVATE with GONOPROXY, keep GOSUMDB for public code, and pin GOMODCACHE to fast disks on every remote Mac.
For Apple Silicon with persistent module cache, see the homepage, help, and purchase—no login to read plans.
Next: stabilize the rest of your runner fleet with concurrent pull and disk FAQ, then return to the blog index for more CI playbooks.
Remote Mac for Go module pulls and CI
Dedicated Mac Mini nodes with SSH, fast SSD, and stable egress for GOPROXY chains. Browse pricing, purchase, and help without signing in.