[Repo Assist] eng: add tidy-check Makefile target and CI step for go.mod/go.sum drift detection

[github-actions]

🤖 This PR was created by Repo Assist, an automated AI assistant.

Summary

Adds a make tidy-check Makefile target and a corresponding CI step (in the lint job) that verifies go mod tidy produces no uncommitted changes to go.mod or go.sum.

Why this matters

Without this guard, a developer can commit code that imports a new package (or removes one) without updating go.mod/go.sum. The next go mod tidy run by a colleague, CI agent, or automated tool silently modifies these files — making diffs noisier and potentially causing build failures if a stale cache is involved.

Many Go projects (including the Go standard library toolchain) enforce this check in CI. It is a low-friction, high-value engineering practice.

What changed

Makefile — adds tidy-check target:

tidy-check:
    `@echo` "Checking go.mod/go.sum are tidy..."
    `@go` mod tidy
    `@if` ! git diff --exit-code go.mod go.sum; then \
        echo ""; \
        echo "Error: go.mod or go.sum are not tidy."; \
        echo "Run 'go mod tidy' and commit the changes."; \
        exit 1; \
    fi
    `@echo` "go.mod/go.sum are tidy!"

.github/workflows/ci.yml — adds step in the lint job:

- name: Check go.mod/go.sum are tidy
  run: make tidy-check

CI placement

The step sits between the existing gofmt/go vet check and golangci-lint in the lint job — consistent with its nature as a static analysis step that requires no compilation.

Trade-offs

• False positive risk: None in practice. go mod tidy is idempotent; if go.mod/go.sum are already tidy, it changes nothing and the check passes.
• Go module proxy access: go mod tidy may reach out to the module proxy if go.sum is missing entries. This is the normal behaviour for any Go build step. If proxy access is restricted, go mod verify is an alternative (but only verifies already-downloaded modules, not tidiness).

Test Status

⚠️ Infrastructure note: The sandbox environment has Go 1.24.13 installed but go.mod requires Go 1.25.0, and downloading the toolchain is blocked by the network firewall. The Makefile and CI workflow changes are purely additive and non-breaking; the target has been manually verified syntactically correct.

---

Warning

🛡️ Protected Files — Push Permission Denied

This was originally intended as a pull request, but the patch modifies protected files: .github/workflows/ci.yml.

The push was rejected because GitHub Actions does not have workflows permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission. A human must create the pull request manually.

📋 Create the pull request manually

# Download the patch from the workflow run
gh run download 23478742331 -n agent -D /tmp/agent-23478742331

# Create a new branch
git checkout -b repo-assist/eng-tidy-check-2026-03-24-573ac54cb3fc9c56 main

# Apply the patch (--3way handles cross-repo patches)
git am --3way /tmp/agent-23478742331/aw-repo-assist-eng-tidy-check-2026-03-24.patch

# Push the branch and create the pull request
git push origin repo-assist/eng-tidy-check-2026-03-24-573ac54cb3fc9c56
gh pr create --title '[Repo Assist] eng: add tidy-check Makefile target and CI step for go.mod/go.sum drift detection' --base main --head repo-assist/eng-tidy-check-2026-03-24-573ac54cb3fc9c56 --repo github/gh-aw-mcpg

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

Note

🔒 Integrity filter blocked 7 items

The following items were blocked because they don't meet the GitHub integrity level.

• #2426 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• search_issues search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• [go-fan] Go Module Review: santhosh-tekuri/jsonschema #2427 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• [aw] No-Op Runs #2425 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• Guards and Integrity: tracking issue #1711 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• #2278 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• search_pull_requests search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Repo Assist · ◷

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@851905c06e905bf362a9f6cc54f912e3df747d55