programming

Go get private repository: GOPRIVATE, SSH, HTTPS, and go mod private repo

Go get private repository and golang private repo with modules: GOPRIVATE, GONOPROXY, GONOSUMDB, SSH insteadOf HTTPS, PAT and .netrc, go no secure protocol found for repository, terminal prompts disabled, GitHub GitLab self-hosted, go mod private repo and go modules private repo setup.

Published

Updated

Read time 4 min read

Reviewed byDeepak Prasad

Go get private repository: GOPRIVATE, SSH, HTTPS, and go mod private repo

Teams use a golang private repository or go private repository the same way as open source: a module path like github.com/org/lib in go.mod, then go get or go build downloads it. The hard parts are go get private repository authentication and telling the toolchain not to send your code through the public proxy and checksum DB. This page covers go modules private repo settings (GOPRIVATE, GOPROXY, GOSUMDB), GitHub import private repository style hosts (and GitLab or self-hosted), SSH versus HTTPS, and the errors go no secure protocol found for repository and non-interactive Git failures. For removing a fetched module, see remove installed package with go get; for module basics, see create a custom Go module; for env vars generally, see Go environment variables.

Examples assume Go 1.21+ in module mode on Linux or macOS, Git 2.x, and a GitHub-style HTTPS or SSH remote. Adjust hostnames for GitLab, Gitea, or Azure DevOps.

go mod private repo: what must be true

  1. Module path in go.mod matches the clone URL host and path (for example module github.com/org/app).
  2. Git can clone that repo non-interactively from the machine running go (SSH agent, credential helper, or CI secret).
  3. GOPRIVATE (and usually GONOPROXY / GONOSUMDB) lists your golang private repo prefixes so the public module mirror and sumdb are skipped.

go env -w persists settings in the user's Go env file:

text 
go env -w GOPRIVATE=github.com/myorg/*
go env -w GOPROXY=https://proxy.golang.org,direct
go env -w GOSUMDB=sum.golang.org

GOPRIVATE implies those paths are also treated as not using the proxy or sumdb unless you override with GONOPROXY / GONOSUMDB explicitly (private modules in the module reference). In current Go releases, matching GOPRIVATE patterns also populate the default GONOPROXY and GONOSUMDB behavior so you usually do not need to duplicate the list.

SSH for go get private repository (typical default)

GitHub serves HTTPS by default; go invokes git to clone. Map HTTPS to SSH so private repos use your existing SSH key:

text 
git config --global url."ssh://git@github.com/".insteadOf "https://github.com/"

Verify:

text 
git config --global --get-regexp url

Then go get github.com/myorg/private-lib@v1.2.3 uses git@github.com:myorg/private-lib.git under the hood. Use read-only deploy keys or machine users where appropriate.

HTTPS and tokens (CI and laptops)

GitHub personal access tokens are common for go get private repo in automation.

  • Prefer a credential helper or ~/.netrc with chmod 600, not a long-lived token in shell history.
  • For classic PATs, Git documents using x-oauth-basic as the password with the token as user; for fine-grained tokens GitHub documents x-access-token as the username—follow current GitHub docs for your token type.

Example ~/.netrc shape (use your token mechanics; do not commit this file):

text 
machine github.com
login YOUR_GITHUB_USERNAME
password YOUR_TOKEN_OR_APP_PASSWORD

Avoid embedding raw https://TOKEN@github.com/ in checked-in config; rotate tokens if leaked.

go: no secure protocol found for repository

That message means the remote URL uses a scheme Go's security policy rejects (for example plain http:// or legacy git://). Fixes:

  • Change the module's Git remote to https://... or SSH.
  • If a vanity import or .git redirect points at http://, fix the server or use git config insteadOf to rewrite to HTTPS/SSH.

This query often appears next to go get private repository searches because older internal URLs were http.

Git "terminal prompts disabled" / exit status 128

Typical log lines:

text 
fatal: could not read Username for 'https://github.com': terminal prompts disabled

go runs git non-interactively. Provide credentials via SSH insteadOf, GIT_ASKPASS, a credential manager, or .netrc. In CI, export read-only credentials into the job environment the helper expects—never rely on typing a password mid-build.

GitLab, Gitea, Azure DevOps, enterprise GitHub

Set GOPRIVATE to every private host prefix you use, comma-separated:

text 
go env -w GOPRIVATE=github.com/myorg/*,git.example.com/*,gitlab.com/mygroup/*

Add matching git config url."ssh://git@git.example.com/".insteadOf "https://git.example.com/" (host and path adjusted) so each host clones with a protocol Git can authenticate.

Summary

Golang private repository and go mod private repo workflows come down to three layers: correct module paths, GOPRIVATE (plus proxy/sumdb behavior) for go modules private repo hygiene, and Git credentials so go get private repository never hits the public index for your code. Fix go no secure protocol found for repository by moving off insecure http/git URLs. Fix HTTPS failures in automation with SSH insteadOf, credential helpers, or scoped tokens—not interactive prompts in CI.

References

Frequently Asked Questions

1. What is GOPRIVATE for a golang private repository?

GOPRIVATE is a comma-separated list of module path prefixes that must not be fetched through the public module proxy or checksum database; set it to your Git host and org, for example github.com/myorg/*.

2. Why does go get private repo hit the checksum database or proxy?

Without GOPRIVATE, the go command treats the path as public and queries proxy.golang.org and sum.golang.org; private modules should be listed in GOPRIVATE so those steps are skipped.

3. What does go: no secure protocol found for repository mean?

The module remote uses an insecure scheme such as plain http:// or deprecated git://; switch the origin to https:// or use SSH with git config insteadOf so Go invokes a secure transport.

4. Is SSH or HTTPS better for go get private repository workflows?

SSH with deploy keys or agent-forwarded keys avoids embedding tokens in URLs; HTTPS with a credential helper or .netrc is common in CI if you manage short-lived tokens carefully.

5. How do I fix could not read Username for https://github.com terminal prompts disabled?

Git has no credentials for non-interactive git; configure a credential helper, .netrc, or SSH insteadOf, and ensure GIT_TERMINAL_PROMPT is not forcing prompts off without credentials present.

6. How does this relate to go mod private repo layout?

go mod still uses module paths in import statements; privacy is controlled by git remote access plus GOPRIVATE and proxy settings, not by a different go.mod keyword.
Tuan Nguyen

Data Scientist

Proficient in Golang, Python, Java, MongoDB, Selenium, Spring Boot, Kubernetes, Scrapy, API development, Docker, Data Scraping, PrimeFaces, Linux, Data Structures, and Data Mining. With expertise …

Related Articles

programming

Golang Tutorial for Beginners (Hands-On)

Free, complete Go (Golang) tutorial in learning order: install, modules, syntax through structs, error …

1 min readprogramming

Install Go on Ubuntu: apt, snap, or official tarball (with checksum)

Installing golang on Ubuntu: apt golang-go, snap install go --classic, official go.dev/dl tarball with sha256 …

6 min readprogramming

Golang fsnotify: Watch File and Directory Changes in Go

Use fsnotify in Go to watch files and directories, handle create/write/remove/rename events, watch parent …

16 min read