Skip to content

fix(code-simplifier): allow Go module proxy domains via go network preset#18214

Merged
pelikhan merged 2 commits intomainfrom
copilot/fix-network-allowlist
Feb 24, 2026
Merged

fix(code-simplifier): allow Go module proxy domains via go network preset#18214
pelikhan merged 2 commits intomainfrom
copilot/fix-network-allowlist

Conversation

Copy link
Contributor

Copilot AI commented Feb 24, 2026
edited
Loading

code-simplifier was blocking go build, go test, and make lint because proxy.golang.org wasn't in the network allowlist.

Changes

  • code-simplifier.md: Added network.allowed: [go] — uses the built-in go ecosystem preset instead of enumerating individual subdomains
network:
  allowed:
    - go

The go preset expands to: proxy.golang.org, sum.golang.org, storage.googleapis.com, golang.org, go.dev, pkg.go.dev, goproxy.io.

  • code-simplifier.lock.yml: Recompiled to reflect the updated domain list.
Original prompt

This section details on the original issue you should resolve

<issue_title>[q] fix(code-simplifier): allow Go module proxy domains in network config</issue_title>
<issue_description>## Problem

The code-simplifier workflow was blocked from running go build, go test, and make lint because proxy.golang.org was not in the network allowlist.

Evidence from PR #18197 (run #22365564592):

⚠️ Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:

  • proxy.golang.org

Changes

Added a network.allowed block to .github/workflows/code-simplifier.md:

network:
  allowed:
    - "proxy.golang.org"      # Go module proxy (go get, go build, go test)
    - "sum.golang.org"        # Checksum database (go mod verify)
    - "storage.googleapis.com" # Backing store for proxy.golang.org

Validation

  • code-simplifier.md compiled successfully with no errors or warnings

References

🎩 Equipped by Q

  • expires on Feb 26, 2026, 8:30 PM UTC

[!NOTE]
This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download patch artifact

The patch file is available in the agent-artifacts artifact in the workflow run linked above.

To apply the patch locally:

# Download the artifact from the workflow run https://github.com/github/gh-aw/actions/runs/22368647195
# (Use GitHub MCP tools if gh CLI is not available)
gh run download 22368647195 -n agent-artifacts -D /tmp/agent-artifacts-22368647195

# The patch file will be at agent-artifacts/tmp/gh-aw/aw-q-code-simplifier-go-network.patch after download
# Apply the patch (--3way handles cross-repo patches where files may already exist)
git am --3way /tmp/agent-artifacts-22368647195/aw-q-code-simplifier-go-network.patch
Show patch preview (77 of 77 lines) 
From e80469d32adde757c052749a4723a960ffb1f457 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 24 Feb 2026 20:28:14 +0000
Subject: [PATCH] fix(code-simplifier): allow Go module proxy domains in
 network config

Adds network access for proxy.golang.org, sum.golang.org, and
storage.googleapis.com so the workflow can run go build/test/lint
without firewall blocks (as seen in run github/gh-aw#22365564592 / PR github/gh-aw#18197).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/code-simplifier.lock.yml | 8 ++++----
 .github/workflows/code-simplifier.md       | 6 ++++++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml
index c2e87df..5b7f3c7 100644
--- a/.github/workflows/code-simplifier.lock.yml
+++ b/.github/workflows/code-simplifier.lock.yml
@@ -27,7 +27,7 @@
 #   Imports:
 #     - shared/reporting.md
 #
-# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f20363e19346c33ebd23b72cadb046203ed01d40c2a747c4590bb413606a0244"}
+# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"6b79622d431a791446a3e59c0343ec2c1b27aa4e02ee9aea206ce3c5b1ec88f5"}
 
 name: "Code Simplifier"
 "on":
@@ -318,7 +318,7 @@ jobs:
               actor: context.actor,
               event_name: context.eventName,
               staged: false,
-              allowed_domains: ["defaults"],
+              allowed_domains: ["proxy.golang.org","sum.golang.org","storage.googleapis.com"],
               firewall_enabled: true,
               awf_version: "v0.20.2",
               awmg_version: "v0.1.5",
@@ -684,7 +684,7 @@ jobs:
         timeout-minutes: 30
         run: |
           set -o pipefail
-          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githu
... (truncated)

Comments on the Issue (you are @copilot in this section)

@pelikhan @copilot use "go" domain

Custom agent used: agentic-workflows
GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@pelikhan
fix(code-simplifier): allow Go module proxy domains using go network …
890f3c6 
…preset

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix network allowlist for Go module proxy domains fix(code-simplifier): allow Go module proxy domains via go network preset Feb 24, 2026
@pelikhan pelikhan marked this pull request as ready for review February 24, 2026 21:28
Copilot AI review requested due to automatic review settings February 24, 2026 21:28
@pelikhan pelikhan merged commit ff071c7 into main Feb 24, 2026
94 checks passed
@pelikhan pelikhan deleted the copilot/fix-network-allowlist branch February 24, 2026 21:28
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR attempts to fix network access issues in the code-simplifier workflow by adding Go module proxy domain support. The workflow was blocked from running Go builds, tests, and linting because proxy.golang.org wasn't in the network allowlist.

Changes:

  • Added network.allowed: [go] to .github/workflows/code-simplifier.md to enable the Go ecosystem preset
  • Updated .github/workflows/code-simplifier.lock.yml with new domain allowlist and updated frontmatter hash

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/code-simplifier.md Added network configuration using the go preset to allow Go module proxy access
.github/workflows/code-simplifier.lock.yml Recompiled workflow with updated allowed domains list reflecting the Go preset

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/code-simplifier.md
expires: 1d

network:
allowed:
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The network configuration should include both "defaults" and "go" presets, not just "go" alone. Using only "go" removes access to critical system domains needed for package installation, certificate validation, and other essential operations.

The "defaults" preset includes important domains such as:

  • Ubuntu package repositories (archive.ubuntu.com, security.ubuntu.com, api.snapcraft.io)
  • Certificate authority domains (various CRL and OCSP endpoints)
  • Package manager domains (packages.cloud.google.com, packages.microsoft.com)
  • JSON schema validation domains (json-schema.org, json.schemastore.org)

Other workflows that need Go support use both presets together. For example, tidy.md (line 32) uses: allowed: ["defaults", "go"]

This should be changed to:

network:
  allowed:
    - defaults
    - go
Suggested change
allowed:
allowed:
- defaults

Copilot uses AI. Check for mistakes.
.github/workflows/code-simplifier.lock.yml
event_name: context.eventName,
staged: false,
allowed_domains: ["defaults"],
allowed_domains: ["go"],
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change removes the "defaults" preset which eliminates access to essential system domains. The allowed_domains array should be ["defaults", "go"] to maintain access to necessary system domains while adding Go module proxy support.

The current configuration only includes Go-specific domains but is missing critical domains from the "defaults" preset such as:

  • Ubuntu package repositories and security updates
  • Certificate authority validation endpoints
  • System package managers
  • Schema validation services

Reference: tidy.lock.yml uses allowed_domains: ["defaults","go"] for a similar Go workflow.

Suggested change
allowed_domains: ["go"],
allowed_domains: ["defaults", "go"],

Copilot uses AI. Check for mistakes.
@github-actions github-actions bot mentioned this pull request Feb 25, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[q] fix(code-simplifier): allow Go module proxy domains in network config

3 participants

@pelikhan