GitHub Clone or Actions Timing Out? Clash Split Rules Step by Step 2026

Why GitHub clone timeout Survives While “The Site Works”

Across 2026 the same story repeats in developer chats: pull requests merge on the web UI, issue threads refresh, even lightweight REST probes succeed—yet git clone, git fetch --all, or a workflow step that shells out to Git crawls toward failure. Sometimes the client reports a blunt exit after minutes of silence; sometimes GitHub Actions annotates a step with a generic GitHub Actions failure message while the real failure was a TCP stall talking to raw.githubusercontent.com or a packfile CDN you never named in YAML.

Git is not a single browser tab. A clone sequences negotiate with github.com for smart HTTP, may redirect through codeload.github.com, streams large packfiles from storage fronts that do not share the same marketing page cache, and may pull Git LFS objects or release assets from additional domains entirely. Each hop opens separate TLS connections that your Clash rules evaluate independently. First-match wins: one incidental GEOIP line or domestic shortcut placed above a narrow developer exception leaves half the choreography on a path your ISP shapes aggressively—classic partial success that masquerades as “GitHub is down.”

Separately, GitHub Actions splits into two worlds. GitHub-hosted runners already sit on upstream networks managed by GitHub; local Clash cannot heal their egress. When people say “Actions times out” alongside clone pain they usually mean self-hosted runners on home labs or corporate VLANs, or jobs that download artifacts through the same constrained uplink that also serves their laptop. This guide targets those environments: align runner service accounts with the same proxy listener you trust on your workstation, then model host coverage deliberately instead of hoping a single DOMAIN-SUFFIX,google.com catch-all from an ancient subscription fixes Git month after month.

If your symptom set is dominated by npm or Docker rather than pure Git, cross-read our npm registry and CDN split guide and Docker Desktop proxy tutorial—many projects intertwine tarball pulls with Git submodules pointing at GitHub.

Hostnames That Actually Participate in Clone, Raw Files, and Actions

GitHub rotates infrastructure; static forum lists rot. Still, the conceptual buckets stay stable enough to design Clash split rules you can extend when logs disagree.

  • Interactive and Git HTTPS: github.com anchors the web experience but also fronts much Git-over-HTTPS traffic—if it miscategorizes, clones fail early.
  • REST and GraphQL APIs: api.github.com serves tokens, rate limits, and metadata that Actions and gh-cli exercise constantly.
  • Raw file CDN: raw.githubusercontent.com delivers plain-text or binary blobs referenced by stable URLs—scripts importing configs, Helm values fetched with curl, or language package managers resolving remote files.
  • Packfile and archive downloads: codeload.github.com frequently appears in verbose git logs; large repository archives may leverage additional githubusercontent.com-family hosts tied to blob storage edges.
  • Container pulls: ghcr.io and related subdomains matter when workflows build or push images—do not assume covering github.com alone rewrites Docker’s registry stack.

When you watch Mihomo connection tables during a failing clone you will often see the slow socket attach to a hostname absent from yesterday’s mental model—that is expected. Treat subscription rule-providers as hints, not scripture; augment with local overrides once you capture evidence rather than preemptively dumping two hundred lines scraped from a 2019 gist.

Habit: Export GIT_CURL_VERBOSE=1 for a single reproduction, or run git -c http.verbose=true ls-remote https://github.com/microsoft/vscode on a trimmed public repo while your dashboard records hostnames. That beats guessing whether the hang lives on raw.githubusercontent.com or deeper packfile storage.

Three Routing Mistakes Behind Phantom GitHub clone timeout Reports

Mistake one—GEOIP steals first match: Popular bundles push broad country shortcuts above niche developer fences. Metadata-sized probes slip through during DNS luck while multi-megabyte packfile sockets inherit whichever label your policy assigns to the storage edge—often different from the HTML hostname you mentally associate with “GitHub.”

Mistake two—split brain between browser and terminal: Chrome follows system proxy or PAC files your IDE inherits intermittently; git launched from launchd, systemd, or a CI agent may see none of that. Until capture matches, you chase Clash ghosts.

Mistake three—url-test thrash on fat downloads: Health checks that rip connections away mid-range GET look like corruption or endless retries. Stabilize node choice for large Git transfers even if vanity latency scores tempt you to auto-rotate every thirty seconds.

Compliance: Use these patterns only where policy permits. Workplace networks may require sanctioned proxies—document exceptions through proper channels instead of covert YAML edits that violate contracts.

For vocabulary refreshes on DIRECT, REJECT, and GEOIP ordering, skim the traffic splitting fundamentals article before stacking Git-specific lines.

Why a Dedicated GITHUB_HUB Group Beats Reusing a Giant Selector

Name a proxy-group you can point Git workflows at without scrolling past gaming, streaming, and academic selectors during a 2 a.m. outage. Even if members duplicate your default PROXY pool, the indirection buys clarity: when logs show policy GITHUB_HUB, you know which YAML stanza to tweak. Bias the pool toward nodes that sustain throughput—not ping vanity—because packfiles reward stable congestion windows.

Keep health-check intervals sedate while debugging clones. Aggressive url-test churn mimics flaky upstreams and convinces you to blame GitHub’s status page when the instability is local policy oscillation.

Step-by-Step: Build and Verify Clash split rules

Walk this sequence whenever GitHub Actions failure symptoms trace to network egress on hardware you control, or when local Git reproducibly stalls:

  1. Reproduce minimally—prefer a small public repository—to separate concurrency from routing. Note exact hostnames from verbose git output or Actions logs referencing curl failures.
  2. In proxy-groups, add GITHUB_HUB (name is arbitrary but keep it memorable) as select with two or more stable upstreams you trust for sustained HTTPS.
  3. In rules, insert DOMAIN-SUFFIX entries for github.com, githubusercontent.com, and any suffix logs prove—example candidates include api.github.com coverage via the parent suffix plus explicit raw.githubusercontent.com if your build mentally separates raw fetches.
  4. Place the entire GitHub block above domestic GEOIP or broad regional shortcuts that might otherwise swallow storage edges differently from HTML hosts.
  5. Match capture: on macOS or Windows enable TUN if CLI tools ignore system proxy; on Linux confirm the user running git or the GitHub Actions runner service inherits HTTP_PROXY/HTTPS_PROXY pointing at your mixed port or document how runner-level environment injection works. Our TUN guide explains escalation when system proxy alone fails.
  6. Reload the profile, repeat the clone, and read Mihomo hits—extend suffixes only when new rows appear, not preemptively.

Conservative YAML Skeleton (Extend With Log Evidence)

Merge the fragment into your real profile; comment banners help future subscription merges preserve ordering.

# --- GitHub developer overrides: keep above GEOIP shortcuts ---
proxy-groups:
  - name: GITHUB_HUB
    type: select
    proxies:
      - NODE-STABLE-PRIMARY
      - NODE-STABLE-BACKUP
      - PROXY

rules:
  - DOMAIN-SUFFIX,github.com,GITHUB_HUB
  - DOMAIN-SUFFIX,githubusercontent.com,GITHUB_HUB
  # Uncomment only when logs prove the host:
  # - DOMAIN,raw.githubusercontent.com,GITHUB_HUB
  # - DOMAIN-SUFFIX,ghcr.io,GITHUB_HUB

  # ... GEOIP and MATCH follow ...

If Actions pulls containers, uncomment or add ghcr.io after you see it in Docker’s error text. If submodule URLs point at enterprise Git hosts, duplicate the pattern with those domains—this article focuses on github.com-family traffic.

Self-Hosted Runners Versus GitHub-Hosted Noise

When diagnosing GitHub Actions failure, read the runner label first. GitHub-hosted machines do not traverse your LAN Clash instance; failures there demand workflow debugging, larger artifact budgets, or service health—not local split edits. Self-hosted runners, by contrast, inherit your data center or home uplink. Install the runner service under an account whose environment variables reference your proxy, or rely on transparent TUN if that matches organizational policy.

Workflow steps that invoke curl against raw.githubusercontent.com for bootstrap scripts mirror developer laptops—without explicit proxy exports those curls often go DIRECT while your browser happily used the tunnel, reproducing the split-brain symptom inside CI.

Runner checklist: Confirm systemd unit drop-ins or Windows service environment blocks include proxy variables. For Docker-based steps, bridge daemon proxy settings with host listeners the way we outline for desktop engines—see the Docker guide linked earlier.

DNS Fake-IP, Sniffer Discipline, and Resolver Drift

Mihomo fake-ip mode keeps domain rules faithful until a library bypasses the local DNS forwarder entirely. Electron apps, language runtimes with embedded resolvers, and some containers ignore /etc/resolv.conf—when git and curl disagree about address families or cached answers, Clash sees inconsistent evaluation windows.

Use Sniffer overrides sparingly: widening sniff scope to “fix” Git can degrade unrelated HTTP/2 sessions. Prefer accurate DOMAIN-SUFFIX coverage first; add narrow protocol sniff knobs only after logs show mis-tagged IPs.

WSL2, remote SSH, and corporate VPN split tunnels add parallel default routes—confirm which interface owns the runner process before blaming Clash rules for timeouts that are actually routing loops.

Verification Loop (Always Logs Before Node Roulette)

  1. Pick a tiny repository or shallow clone to reduce packfile noise.
  2. Enable temporary git verbosity; capture hostnames aligning timestamps with Mihomo rows.
  3. curl -I https://api.github.com from the same shell user as git—never from a privileged subshell hiding proxy env.
  4. After a successful pass, snapshot the effective rule ordering in version control so remote provider merges cannot silently regress you next Tuesday.

When stable: Trim experimental Sniffer toggles you no longer need—minimal configurations age better across Mihomo upgrades.

If subscription import basics still feel shaky, revisit the subscription import walkthrough before iterating Git-specific tweaks.

Quick FAQ

Browser loads github.com but raw fetch fails—why?

Different authorities, different connection pools, different rule evaluation order—especially when GEOIP shortcuts treat CDN edges inconsistently. Fence both families explicitly.

Does Git LFS need extra rules?

Often yes: LFS batch APIs may stay on GitHub domains while actual objects land on separate storage hosts. Read git lfs env output and follow verbose logs for the storage hostname.

What about SSH [email protected]?

SSH bypasses HTTP proxy variables unless you tunnel intentionally. If you standardize on HTTPS remotes for clarity inside proxied environments, keep SSH overrides separate so you do not assume Clash HTTP listeners rewrite port 22 flows.

Disabling certificate verification globally to “prove” routing issues creates security debt—fix policy and capture instead of permanent insecure flags.

Closing: From Timeouts to Predictable GitHub Egress

Browser-only extensions and ad-hoc VPN toggles rarely give you ordered first-match control across every terminal, systemd service, and self-hosted runner variant your team spawns, and they seldom pair that control with readable connection logs the way a disciplined Mihomo profile does. GitHub clone timeout pain rooted in partial routing is a configuration problem, not mysticism: once github.com, API surfaces, raw.githubusercontent.com, and proven CDN companions ride a stable Clash policy ahead of blunt GEOIP shortcuts—and once capture matches the process actually invoking git—large fetches and Actions steps stop failing for imaginary “GitHub weather.” ClashSource bundles installers, subscription ergonomics, and topic guides—from npm to Docker to AI CDNs—so you iterate on YAML with documentation instead of scattered forum fragments. If you want a client tuned for that workflow, download Clash from ClashSource and pair it with the verification habits above; you will spend less time swapping nodes and more time shipping.