Add network allowlist to android-reviewer workflow#11164
Add network allowlist to android-reviewer workflow#11164jonathanpeppers merged 4 commits intomainfrom
Conversation
The reviewer checks CI status which requires access to Azure DevOps, since dotnet/android's primary CI runs there. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replaces individual domain names with ecosystem identifiers where possible (github, chrome, dotnet, java) per gh-aw strict mode recommendations. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
We can't test this in a PR (the android-reviewer.lock.yml runs only on PR comments from main), so just going to get AI reviews and merge. |
|
/review |
There was a problem hiding this comment.
Pull request overview
Adds explicit outbound network allowlisting to the android-reviewer agentic workflow so the /review command can reach external services (notably Azure DevOps) from the Copilot agent environment.
Changes:
- Adds a
network.allowedfrontmatter block with a set of permitted domains for the workflow runtime.
|
✅ Android PR Reviewer completed successfully! |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
✅ LGTM — Clean config change
Summary: This PR adds a network.allowed block to the android-reviewer.md workflow to fix firewall blocks (primarily for dev.azure.com CI status checks), then regenerates the lock file via gh aw compile.
What looks good:
- ✅ Lock file is properly regenerated — metadata hash, heredoc markers, and domain lists are all consistent
- ✅
GH_AW_INFO_ALLOWED_DOMAINScorrectly mirrors the.mdsource list - ✅ The expanded domains in
--allow-domainsandGH_AW_ALLOWED_DOMAINSare consistent across all 3 occurrences in the lock file - ✅ CI is green (
dotnet-android✓,license/cla✓) - ✅ Previous review feedback (lock file regeneration) has been addressed
Suggestions (2 💡):
| Severity | Category | File |
|---|---|---|
| 💡 | YAGNI | android-reviewer.md:14-15 — chrome/java ecosystems may be broader than needed |
| 💡 | YAGNI | android-reviewer.md:22 — httpbin.org seems unusual for a reviewer workflow |
Both are minor — the domains are all trusted and the broader allowlist may prevent future firewall issues. Ship it!
Generated by Android PR Reviewer for issue #11164 · ● 4.1M
jonathanpeppers
deleted the
jonathanpeppers/dev-peppers-reviewer-firewall-whitelist
branch
The
/reviewslash command (android-reviewer workflow) was hitting firewallblocks when trying to reach
dev.azure.comto check CI status. The workflowruns in GitHub's Copilot agent environment which restricts outbound network
access by default.
This adds a
network.allowedblock to the workflow frontmatter listing allthe domains from the repo's custom allowlist so the reviewer agent can reach
them without firewall errors.