In this tutorial I'll use the fictional private repository called github.com/alexrios/superlib at the version v1.1.0

Backing story

During the Continuous integration pipeline executing go mod tidy I was getting this error:

go: github.com/alexrios/superlib@v1.1.0: reading github.com/alexrios/superlib/go.mod at revision v1.1.0: unknown revision v1.1.0

Why?

In order to understand how Go uses a VCS to handle dependencies I recommend this Go team blog post: https://blog.golang.org/publishing-go-modules

Solution

Generate a token with read permission on org or user repositories and setup a substitution in git global configurations.

That way the authenticated form will always be used.

I highly recommend you to use the repository secrets to avoid exposing sensible data, in this case, the token.

- name: Granting private modules access
        run: |
          git config --global url."https://${{ secrets.GO_MODULES_TOKEN }}:x-oauth-basic@github.com/alexrios".insteadOf "https://github.com/alexrios"     

more on declaring and using secrets: https://help.github.com/pt/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets