Skip to content

Comments

Add all ecosystem identifiers to network firewall across all workflows#374

Merged
strawgate merged 6 commits intomainfrom
copilot/add-ecosystem-identifiers
Feb 22, 2026
Merged

Add all ecosystem identifiers to network firewall across all workflows#374
strawgate merged 6 commits intomainfrom
copilot/add-ecosystem-identifiers

Conversation

Copy link
Contributor

Copilot AI commented Feb 22, 2026
edited by coderabbitai bot
Loading

Agent workflows were restricted to package registries for only 6 ecosystems (defaults, github, go, node, python, ruby), blocking agents from installing dependencies or running toolchains for any other language stack.

Changes

  • New shared fragment gh-aw-fragments/network-ecosystems.md: Contains all 26 ecosystem identifiers from the gh-aw network reference:

    Identifier Domains covered
    defaults CRL/OCSP, JSON Schema, Ubuntu, common package mirrors
    github githubusercontent.com, github assets
    clojure clojars.org
    containers Docker Hub, GHCR, Quay, GCR, MCR
    dart pub.dev
    dotnet nuget.org, dotnet.microsoft.com
    elixir hex.pm
    fonts fonts.googleapis.com
    github-actions productionresultssa*.blob.core.windows.net
    go go.dev, proxy.golang.org
    haskell hackage.haskell.org, GHCup
    java Maven Central, Gradle, Adoptium
    kotlin packages.jetbrains.team
    linux-distros Debian, Alpine, Fedora, CentOS, Arch, openSUSE, Red Hat
    node npmjs.org, yarn, pnpm, bun, deno
    node-cdns cdn.jsdelivr.net
    perl cpan.org, metacpan.org
    php packagist.org, getcomposer.org
    playwright playwright.download.prss.microsoft.com, cdn.playwright.dev
    python pypi.org, conda, anaconda
    ruby rubygems.org, bundler
    rust crates.io, rustup
    scala repo.scala-sbt.org, typesafe.com
    swift swift.org, cocoapods.org
    terraform releases.hashicorp.com, registry.terraform.io
    zig ziglang.org

  • All gh-aw-*.md workflows: Import the new gh-aw-fragments/network-ecosystems.md fragment instead of duplicating ecosystem identifiers inline. Workflows with unique domain requirements (e.g., mcp.buildkite.com, docs-v3-preview.elastic.dev) retain only those specific entries.

  • Compiled .lock.yml files regenerated to reflect all domain additions.

Example of updated frontmatter (most workflows):

imports:
  - gh-aw-fragments/network-ecosystems.md
  # ... other imports

Workflows with unique domains (e.g., pr-buildkite-detective):

imports:
  - gh-aw-fragments/network-ecosystems.md
  # ... other imports
network:
  allowed:
    - "mcp.buildkite.com"
Original prompt

This section details on the original issue you should resolve

<issue_title>Add playwright, terraform, linux-distros, etc to network firewall</issue_title>
<issue_description>Add all of the entries from https://github.github.io/gh-aw/reference/network/#ecosystem-identifier-recommendation</issue_description>

Comments on the Issue (you are @copilot in this section)

Custom agent used: default-agent
The default agent

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Summary by CodeRabbit

  • New Features

    • Expanded network access for automated workflows to support a broader range of development ecosystems and package registries.

  • Chores

    • Updated workflow configurations to enable integration with additional language ecosystems and hosting platforms.

@strawgate strawgate marked this pull request as ready for review February 22, 2026 19:59
@strawgate
Add all ecosystem identifiers to network firewall across all workflows
c04571f 
Co-authored-by: strawgate <6384545+strawgate@users.noreply.github.com>
Copilot AI changed the title [WIP] Add Playwright, Terraform, Linux distros to network firewall Add all ecosystem identifiers to network firewall across all workflows Feb 22, 2026
Copilot AI requested a review from strawgate February 22, 2026 20:08
@strawgate
Copy link
Collaborator

strawgate commented Feb 22, 2026

@copilot are all of those actually valid? im not sure. Anyway, can we just define this in a shared fragment that we import or what?

@strawgate
Consolidate ecosystem network allows into shared fragment
1e8fd42 
Co-authored-by: strawgate <6384545+strawgate@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 22, 2026

@copilot are all of those actually valid? im not sure. Anyway, can we just define this in a shared fragment that we import or what?

Yes, all identifiers are valid — they come directly from the ecosystem_domains.json data embedded in the gh-aw compiler (v0.48.1).

Moved to a shared fragment in 1e8fd42. Created .github/workflows/gh-aw-fragments/network-ecosystems.md containing all 26 ecosystem identifiers, then updated every workflow to import it instead of duplicating the list. Workflows with workflow-specific domains (e.g., mcp.buildkite.com, docs-v3-preview.elastic.dev) retain only those unique entries.

@coderabbitai
Copy link

coderabbitai bot commented Feb 22, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR expands network ecosystem access permissions across GitHub Actions AI workflows by introducing a centralized network ecosystem fragment, removing per-workflow network allow-lists from .md documentation files, and significantly broadening the allowed_domains whitelists in generated .lock.yml files to include numerous language ecosystems, package registries, and hosting domains.

Changes

Cohort / File(s) Summary
Network Ecosystems Fragment
gh-aw-fragments/network-ecosystems.md		 New fragment file containing a centralized YAML block with permitted ecosystem identifiers, replacing distributed network allow-lists across individual workflow configurations.
Workflow Documentation Files (.md)
gh-aw-*/(agent-suggestions|breaking-change-detect|bug-exterminator|bug-hunter|code-duplication-detector|code-duplication-fixer|code-simplifier|docs-drift|docs-patrol-external|docs-patrol|docs-pr-review|downstream-health|flaky-test-investigator|issue-fixer|issue-triage|mention-in-issue|mention-in-issue-no-sandbox|mention-in-pr|mention-in-pr-no-sandbox|newbie-contributor-fixer|newbie-contributor-patrol|newbie-contributor-patrol-external|performance-profiler|plan|pr-actions-detective|pr-actions-fixer|pr-buildkite-detective|pr-ci-detective|pr-review|product-manager-impersonator|project-summary|refactor-opportunist|release-update|scheduled-audit|scheduled-fix|small-problem-fixer|stale-issues|test-improver|text-auditor|text-beautifier|update-pr-body|ux-design-patrol)\.md		 Added import for network-ecosystems.md fragment and removed per-workflow network: allowed: blocks that previously constrained access to specific ecosystems (defaults, github, go, node, python, ruby, and in some cases www.elastic.co).
Workflow Lock Files (.lock.yml)
gh-aw-*/(agent-suggestions|breaking-change-detect|breaking-change-detector|bug-exterminator|bug-hunter|code-duplication-detector|code-duplication-fixer|code-simplifier|docs-drift|docs-patrol-external|docs-patrol|docs-pr-review|downstream-health|flaky-test-investigator|issue-fixer|issue-triage|mention-in-issue|mention-in-issue-no-sandbox|mention-in-pr|mention-in-pr-no-sandbox|newbie-contributor-fixer|newbie-contributor-patrol|newbie-contributor-patrol-external|performance-profiler|plan|pr-actions-detective|pr-actions-fixer|pr-buildkite-detective|pr-ci-detective|pr-review|product-manager-impersonator|project-summary|refactor-opportunist|release-update|scheduled-audit|scheduled-fix|small-problem-fixer|stale-issues|test-improver|test-improvement|text-auditor|text-beautifier|update-pr-body|ux-design-patrol)\.lock\.yml		 Updated metadata frontmatter hashes, added network-ecosystems.md to resolved imports, inserted additional GH_AW_PROMPT_EOF blocks for prompt boundary management, and expanded allowed_domains lists from narrow Elastic-focused sets to comprehensive multi-ecosystem whitelists including Docker, Haskell, Java, Rust, DotNet, Go, Python, Node.js, Kubernetes, Terraform, Linux distributions, and numerous CDN/registry domains.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • github-actions

Poem

🐰 Hops with glee through firewall doors,
Network paths both broad and sure!
Docker, Rust, and Haskell's grace,
Now welcomed in this cyber space. 🚀

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch copilot/add-ecosystem-identifiers

Comment @coderabbitai help to get the list of available commands and usage tips.

@strawgate strawgate merged commit 2de472f into main Feb 22, 2026
6 checks passed
@strawgate strawgate deleted the copilot/add-ecosystem-identifiers branch February 22, 2026 20:21
@github-actions github-actions bot mentioned this pull request Feb 23, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

@strawgate strawgate Awaiting requested review from strawgate

Assignees

@strawgate strawgate

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add playwright, terraform, linux-distros, etc to network firewall

2 participants

@strawgate