Skip to content

Add network allowlist to android-reviewer workflow#11164

Merged
jonathanpeppers merged 4 commits intomainfrom
jonathanpeppers/dev-peppers-reviewer-firewall-whitelist
Apr 20, 2026
Merged

Add network allowlist to android-reviewer workflow#11164
jonathanpeppers merged 4 commits intomainfrom
jonathanpeppers/dev-peppers-reviewer-firewall-whitelist

Conversation

@jonathanpeppers
Copy link
Copy Markdown
Member

The /review slash command (android-reviewer workflow) was hitting firewall
blocks when trying to reach dev.azure.com to check CI status. The workflow
runs in GitHub's Copilot agent environment which restricts outbound network
access by default.

This adds a network.allowed block to the workflow frontmatter listing all
the domains from the repo's custom allowlist so the reviewer agent can reach
them without firewall errors.

  • Useful description of why the change is necessary.
  • Links to issues fixed
  • Unit tests -- N/A, workflow config change only

jonathanpeppers and others added 2 commits April 20, 2026 08:38
The reviewer checks CI status which requires access to Azure DevOps,
since dotnet/android's primary CI runs there.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 20, 2026 13:40
jonathanpeppers and others added 2 commits April 20, 2026 08:41
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replaces individual domain names with ecosystem identifiers where
possible (github, chrome, dotnet, java) per gh-aw strict mode
recommendations.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jonathanpeppers
Copy link
Copy Markdown
Member Author

We can't test this in a PR (the android-reviewer.lock.yml runs only on PR comments from main), so just going to get AI reviews and merge.

@jonathanpeppers
Copy link
Copy Markdown
Member Author

/review

Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds explicit outbound network allowlisting to the android-reviewer agentic workflow so the /review command can reach external services (notably Azure DevOps) from the Copilot agent environment.

Changes:

  • Adds a network.allowed frontmatter block with a set of permitted domains for the workflow runtime.

Comment thread .github/workflows/android-reviewer.md
Comment thread .github/workflows/android-reviewer.md
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 20, 2026

Android PR Reviewer completed successfully!

Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ LGTM — Clean config change

Summary: This PR adds a network.allowed block to the android-reviewer.md workflow to fix firewall blocks (primarily for dev.azure.com CI status checks), then regenerates the lock file via gh aw compile.

What looks good:

  • ✅ Lock file is properly regenerated — metadata hash, heredoc markers, and domain lists are all consistent
  • GH_AW_INFO_ALLOWED_DOMAINS correctly mirrors the .md source list
  • ✅ The expanded domains in --allow-domains and GH_AW_ALLOWED_DOMAINS are consistent across all 3 occurrences in the lock file
  • ✅ CI is green (dotnet-android ✓, license/cla ✓)
  • ✅ Previous review feedback (lock file regeneration) has been addressed

Suggestions (2 💡):

Severity Category File
💡 YAGNI android-reviewer.md:14-15chrome/java ecosystems may be broader than needed
💡 YAGNI android-reviewer.md:22httpbin.org seems unusual for a reviewer workflow

Both are minor — the domains are all trusted and the broader allowlist may prevent future firewall issues. Ship it!

Generated by Android PR Reviewer for issue #11164 · ● 4.1M

Comment thread .github/workflows/android-reviewer.md
Comment thread .github/workflows/android-reviewer.md
@jonathanpeppers jonathanpeppers merged commit 30e4591 into main Apr 20, 2026
2 of 3 checks passed
@jonathanpeppers jonathanpeppers deleted the jonathanpeppers/dev-peppers-reviewer-firewall-whitelist branch April 20, 2026 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants