Skip to content

Comments

Add all ecosystem identifiers to network firewall across all workflows#374

Merged
strawgate merged 6 commits intomainfrom
copilot/add-ecosystem-identifiers
Feb 22, 2026
Merged

Add all ecosystem identifiers to network firewall across all workflows#374
strawgate merged 6 commits intomainfrom
copilot/add-ecosystem-identifiers

Conversation

Copy link
Contributor

Copilot AI commented Feb 22, 2026

Agent workflows were restricted to package registries for only 6 ecosystems (defaults, github, go, node, python, ruby), blocking agents from installing dependencies or running toolchains for any other language stack.

Changes

  • New shared fragment gh-aw-fragments/network-ecosystems.md: Contains all 26 ecosystem identifiers from the gh-aw network reference:

    Identifier Domains covered
    defaults CRL/OCSP, JSON Schema, Ubuntu, common package mirrors
    github githubusercontent.com, github assets
    clojure clojars.org
    containers Docker Hub, GHCR, Quay, GCR, MCR
    dart pub.dev
    dotnet nuget.org, dotnet.microsoft.com
    elixir hex.pm
    fonts fonts.googleapis.com
    github-actions productionresultssa*.blob.core.windows.net
    go go.dev, proxy.golang.org
    haskell hackage.haskell.org, GHCup
    java Maven Central, Gradle, Adoptium
    kotlin packages.jetbrains.team
    linux-distros Debian, Alpine, Fedora, CentOS, Arch, openSUSE, Red Hat
    node npmjs.org, yarn, pnpm, bun, deno
    node-cdns cdn.jsdelivr.net
    perl cpan.org, metacpan.org
    php packagist.org, getcomposer.org
    playwright playwright.download.prss.microsoft.com, cdn.playwright.dev
    python pypi.org, conda, anaconda
    ruby rubygems.org, bundler
    rust crates.io, rustup
    scala repo.scala-sbt.org, typesafe.com
    swift swift.org, cocoapods.org
    terraform releases.hashicorp.com, registry.terraform.io
    zig ziglang.org
  • All gh-aw-*.md workflows: Import the new gh-aw-fragments/network-ecosystems.md fragment instead of duplicating ecosystem identifiers inline. Workflows with unique domain requirements (e.g., mcp.buildkite.com, docs-v3-preview.elastic.dev) retain only those specific entries.

  • Compiled .lock.yml files regenerated to reflect all domain additions.

Example of updated frontmatter (most workflows):

imports:
  - gh-aw-fragments/network-ecosystems.md
  # ... other imports

Workflows with unique domains (e.g., pr-buildkite-detective):

imports:
  - gh-aw-fragments/network-ecosystems.md
  # ... other imports
network:
  allowed:
    - "mcp.buildkite.com"
Original prompt

This section details on the original issue you should resolve

<issue_title>Add playwright, terraform, linux-distros, etc to network firewall</issue_title>
<issue_description>Add all of the entries from https://github.github.io/gh-aw/reference/network/#ecosystem-identifier-recommendation</issue_description>

Comments on the Issue (you are @copilot in this section)

Custom agent used: default-agent
The default agent


💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Summary by CodeRabbit

  • New Features

    • Expanded network access for automated workflows to support a broader range of development ecosystems and package registries.
  • Chores

    • Updated workflow configurations to enable integration with additional language ecosystems and hosting platforms.

@strawgate strawgate marked this pull request as ready for review February 22, 2026 19:59
Co-authored-by: strawgate <6384545+strawgate@users.noreply.github.com>
Copilot AI changed the title [WIP] Add Playwright, Terraform, Linux distros to network firewall Add all ecosystem identifiers to network firewall across all workflows Feb 22, 2026
Copilot AI requested a review from strawgate February 22, 2026 20:08
@strawgate
Copy link
Collaborator

@copilot are all of those actually valid? im not sure. Anyway, can we just define this in a shared fragment that we import or what?

Co-authored-by: strawgate <6384545+strawgate@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 22, 2026

@copilot are all of those actually valid? im not sure. Anyway, can we just define this in a shared fragment that we import or what?

Yes, all identifiers are valid — they come directly from the ecosystem_domains.json data embedded in the gh-aw compiler (v0.48.1).

Moved to a shared fragment in 1e8fd42. Created .github/workflows/gh-aw-fragments/network-ecosystems.md containing all 26 ecosystem identifiers, then updated every workflow to import it instead of duplicating the list. Workflows with workflow-specific domains (e.g., mcp.buildkite.com, docs-v3-preview.elastic.dev) retain only those unique entries.

@coderabbitai
Copy link

coderabbitai bot commented Feb 22, 2026

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR expands network ecosystem access permissions across GitHub Actions AI workflows by introducing a centralized network ecosystem fragment, removing per-workflow network allow-lists from .md documentation files, and significantly broadening the allowed_domains whitelists in generated .lock.yml files to include numerous language ecosystems, package registries, and hosting domains.

Changes

Cohort / File(s) Summary
Network Ecosystems Fragment
gh-aw-fragments/network-ecosystems.md
New fragment file containing a centralized YAML block with permitted ecosystem identifiers, replacing distributed network allow-lists across individual workflow configurations.
Workflow Documentation Files (.md)
gh-aw-*/(agent-suggestions|breaking-change-detect|bug-exterminator|bug-hunter|code-duplication-detector|code-duplication-fixer|code-simplifier|docs-drift|docs-patrol-external|docs-patrol|docs-pr-review|downstream-health|flaky-test-investigator|issue-fixer|issue-triage|mention-in-issue|mention-in-issue-no-sandbox|mention-in-pr|mention-in-pr-no-sandbox|newbie-contributor-fixer|newbie-contributor-patrol|newbie-contributor-patrol-external|performance-profiler|plan|pr-actions-detective|pr-actions-fixer|pr-buildkite-detective|pr-ci-detective|pr-review|product-manager-impersonator|project-summary|refactor-opportunist|release-update|scheduled-audit|scheduled-fix|small-problem-fixer|stale-issues|test-improver|text-auditor|text-beautifier|update-pr-body|ux-design-patrol)\.md
Added import for network-ecosystems.md fragment and removed per-workflow network: allowed: blocks that previously constrained access to specific ecosystems (defaults, github, go, node, python, ruby, and in some cases www.elastic.co).
Workflow Lock Files (.lock.yml)
gh-aw-*/(agent-suggestions|breaking-change-detect|breaking-change-detector|bug-exterminator|bug-hunter|code-duplication-detector|code-duplication-fixer|code-simplifier|docs-drift|docs-patrol-external|docs-patrol|docs-pr-review|downstream-health|flaky-test-investigator|issue-fixer|issue-triage|mention-in-issue|mention-in-issue-no-sandbox|mention-in-pr|mention-in-pr-no-sandbox|newbie-contributor-fixer|newbie-contributor-patrol|newbie-contributor-patrol-external|performance-profiler|plan|pr-actions-detective|pr-actions-fixer|pr-buildkite-detective|pr-ci-detective|pr-review|product-manager-impersonator|project-summary|refactor-opportunist|release-update|scheduled-audit|scheduled-fix|small-problem-fixer|stale-issues|test-improver|test-improvement|text-auditor|text-beautifier|update-pr-body|ux-design-patrol)\.lock\.yml
Updated metadata frontmatter hashes, added network-ecosystems.md to resolved imports, inserted additional GH_AW_PROMPT_EOF blocks for prompt boundary management, and expanded allowed_domains lists from narrow Elastic-focused sets to comprehensive multi-ecosystem whitelists including Docker, Haskell, Java, Rust, DotNet, Go, Python, Node.js, Kubernetes, Terraform, Linux distributions, and numerous CDN/registry domains.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • github-actions

Poem

🐰 Hops with glee through firewall doors,
Network paths both broad and sure!
Docker, Rust, and Haskell's grace,
Now welcomed in this cyber space. 🚀

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch copilot/add-ecosystem-identifiers

Comment @coderabbitai help to get the list of available commands and usage tips.

@strawgate strawgate merged commit 2de472f into main Feb 22, 2026
6 checks passed
@strawgate strawgate deleted the copilot/add-ecosystem-identifiers branch February 22, 2026 20:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add playwright, terraform, linux-distros, etc to network firewall

2 participants