fix(code-simplifier): allow Go module proxy domains via go network preset

[Copilot]

code-simplifier was blocking go build, go test, and make lint because proxy.golang.org wasn't in the network allowlist.

Changes

• code-simplifier.md: Added network.allowed: [go] — uses the built-in go ecosystem preset instead of enumerating individual subdomains

network:
  allowed:
    - go

The go preset expands to: proxy.golang.org, sum.golang.org, storage.googleapis.com, golang.org, go.dev, pkg.go.dev, goproxy.io.

• code-simplifier.lock.yml: Recompiled to reflect the updated domain list.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[q] fix(code-simplifier): allow Go module proxy domains in network config</issue_title>
<issue_description>## Problem

The code-simplifier workflow was blocked from running go build, go test, and make lint because proxy.golang.org was not in the network allowlist.

Evidence from PR #18197 (run #22365564592):

⚠️ Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:

• proxy.golang.org

Changes

Added a network.allowed block to .github/workflows/code-simplifier.md:

network:
  allowed:
    - "proxy.golang.org"      # Go module proxy (go get, go build, go test)
    - "sum.golang.org"        # Checksum database (go mod verify)
    - "storage.googleapis.com" # Backing store for proxy.golang.org

Validation

• ✅ code-simplifier.md compiled successfully with no errors or warnings

References

• Blocked run: https://github.com/github/gh-aw/actions/runs/22365564592
• PR with firewall evidence: [code-simplifier] refactor: extract execGHAPI helper in checks_command (#18164) #18197
• Triggered by: @pelikhan via /q update code simplifier with network go domain

🎩 Equipped by Q

• expires on Feb 26, 2026, 8:30 PM UTC

---

[!NOTE]
This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download patch artifact

The patch file is available in the agent-artifacts artifact in the workflow run linked above.

To apply the patch locally:

# Download the artifact from the workflow run https://github.com/github/gh-aw/actions/runs/22368647195
# (Use GitHub MCP tools if gh CLI is not available)
gh run download 22368647195 -n agent-artifacts -D /tmp/agent-artifacts-22368647195

# The patch file will be at agent-artifacts/tmp/gh-aw/aw-q-code-simplifier-go-network.patch after download
# Apply the patch (--3way handles cross-repo patches where files may already exist)
git am --3way /tmp/agent-artifacts-22368647195/aw-q-code-simplifier-go-network.patch

Show patch preview (77 of 77 lines)

From e80469d32adde757c052749a4723a960ffb1f457 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 24 Feb 2026 20:28:14 +0000
Subject: [PATCH] fix(code-simplifier): allow Go module proxy domains in
 network config

Adds network access for proxy.golang.org, sum.golang.org, and
storage.googleapis.com so the workflow can run go build/test/lint
without firewall blocks (as seen in run github/gh-aw#22365564592 / PR github/gh-aw#18197).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/code-simplifier.lock.yml | 8 ++++----
 .github/workflows/code-simplifier.md       | 6 ++++++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml
index c2e87df..5b7f3c7 100644
--- a/.github/workflows/code-simplifier.lock.yml
+++ b/.github/workflows/code-simplifier.lock.yml
@@ -27,7 +27,7 @@
 #   Imports:
 #     - shared/reporting.md
 #
-# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f20363e19346c33ebd23b72cadb046203ed01d40c2a747c4590bb413606a0244"}
+# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"6b79622d431a791446a3e59c0343ec2c1b27aa4e02ee9aea206ce3c5b1ec88f5"}
 
 name: "Code Simplifier"
 "on":
@@ -318,7 +318,7 @@ jobs:
               actor: context.actor,
               event_name: context.eventName,
               staged: false,
-              allowed_domains: ["defaults"],
+              allowed_domains: ["proxy.golang.org","sum.golang.org","storage.googleapis.com"],
               firewall_enabled: true,
               awf_version: "v0.20.2",
               awmg_version: "v0.1.5",
@@ -684,7 +684,7 @@ jobs:
         timeout-minutes: 30
         run: |
           set -o pipefail
-          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githu
... (truncated)

Comments on the Issue (you are @copilot in this section)

@pelikhan @copilot use "go" domain

Custom agent used: agentic-workflows
GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing

• Fixes [q] fix(code-simplifier): allow Go module proxy domains in network config #18207

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR attempts to fix network access issues in the code-simplifier workflow by adding Go module proxy domain support. The workflow was blocked from running Go builds, tests, and linting because proxy.golang.org wasn't in the network allowlist.

Changes:

• Added network.allowed: [go] to .github/workflows/code-simplifier.md to enable the Go ecosystem preset
• Updated .github/workflows/code-simplifier.lock.yml with new domain allowlist and updated frontmatter hash

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/code-simplifier.md	Added network configuration using the go preset to allow Go module proxy access
.github/workflows/code-simplifier.lock.yml	Recompiled workflow with updated allowed domains list reflecting the Go preset

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The network configuration should include both "defaults" and "go" presets, not just "go" alone. Using only "go" removes access to critical system domains needed for package installation, certificate validation, and other essential operations.

The "defaults" preset includes important domains such as:

• Ubuntu package repositories (archive.ubuntu.com, security.ubuntu.com, api.snapcraft.io)
• Certificate authority domains (various CRL and OCSP endpoints)
• Package manager domains (packages.cloud.google.com, packages.microsoft.com)
• JSON schema validation domains (json-schema.org, json.schemastore.org)

Other workflows that need Go support use both presets together. For example, tidy.md (line 32) uses: allowed: ["defaults", "go"]

This should be changed to:

network:
  allowed:
    - defaults
    - go

Suggested change

	allowed:
	allowed:
	- defaults

[Copilot]

This change removes the "defaults" preset which eliminates access to essential system domains. The allowed_domains array should be ["defaults", "go"] to maintain access to necessary system domains while adding Go module proxy support.

The current configuration only includes Go-specific domains but is missing critical domains from the "defaults" preset such as:

• Ubuntu package repositories and security updates
• Certificate authority validation endpoints
• System package managers
• Schema validation services

Reference: tidy.lock.yml uses allowed_domains: ["defaults","go"] for a similar Go workflow.

Suggested change

	allowed_domains: ["go"],
	allowed_domains: ["defaults", "go"],