[daily-firewall-report] Daily Firewall Report - 2026-04-28

[github-actions[bot]]

Executive Summary

This report covers firewall activity across all agentic workflows in the github/gh-aw repository for the past 7 days (April 22–28, 2026). A total of 42 workflow runs were analyzed, of which 39 had active firewall monitoring. The firewall intercepted 1,182 total network requests, allowing 944 (79.9%) and blocking 238 (20.1%). The dominant pattern is a large volume of (unknown) blocked entries, which represent non-HTTPS or protocol-level traffic that the Squid proxy cannot classify — this warrants investigation into whether these workflows require additional allowlist entries.

Key Metrics

Metric	Value
Workflow runs analyzed	42
Runs with firewall data	39
Total network requests	1,182
✅ Allowed requests	944 (79.9%)
🚫 Blocked requests	238 (20.1%)
Total unique blocked domains	4
Block rate	20.1%

Top Blocked Domains

Domain	Total Blocks	Workflows	Category
(unknown)	224	Daily Community Attribution Updater, Daily Syntax Error Quality Check, Daily Security Observability Report, Copilot PR Conversation NLP Analysis, Daily Testify Uber Super Expert, Glossary Maintainer, Update Astro	Unknown / Non-HTTPS traffic
proxy.golang.org:443	10	Refactoring Cadence	Development Services (Go modules)
ab.chatgpt.com:443	2	AI Moderator	AI/Chat Services
chatgpt.com:443	2	AI Moderator	AI/Chat Services

Note on (unknown) entries: These represent requests where the Squid proxy could not determine the destination hostname, typically from non-CONNECT HTTPS traffic, HTTP/3 (QUIC), or other non-standard protocols. The actual blocked services may include additional domains not captured in the logs.

📈 Firewall Activity Trends

Request Patterns

The chart shows firewall traffic over the past 7 days. A significant spike is visible on April 22, driven primarily by multiple workflows with high (unknown) blocked traffic. Traffic stabilized in subsequent days as those workflows ran on their respective schedules.

Top Blocked Domains

The (unknown) category dominates blocked traffic at 224 requests, representing 94% of all blocked traffic. proxy.golang.org:443 is the only clearly identifiable blocked domain with significant traffic (10 blocks), indicating the Refactoring Cadence workflow needs proxy.golang.org added to its allowed network domains.

View Detailed Request Patterns by Workflow

Daily Community Attribution Updater (§25049390898)

Domain	Blocked Count	Allowed Count	Block Rate	Category
(unknown)	58	0	100%	Unknown/Non-HTTPS
api.githubcopilot.com:443	0	91	0%	GitHub Copilot API

• Total requests: 149 | Blocked: 58 (38.9%)

Daily Syntax Error Quality Check (§25048936880)

Domain	Blocked Count	Allowed Count	Block Rate	Category
(unknown)	52	0	100%	Unknown/Non-HTTPS
api.githubcopilot.com:443	0	70	0%	GitHub Copilot API

• Total requests: 122 | Blocked: 52 (42.6%)

Daily Security Observability Report (§25049385920)

Domain	Blocked Count	Allowed Count	Block Rate	Category
(unknown)	50	0	100%	Unknown/Non-HTTPS
api.githubcopilot.com:443	0	57	0%	GitHub Copilot API
pypi.org:443	0	allowed	0%	Python Package Index
151.101.x.223:443	0	allowed	0%	Fastly CDN (GitHub)
146.75.76.223:443	0	allowed	0%	Fastly CDN

• Total requests: 107 | Blocked: 50 (46.7%)

Copilot PR Conversation NLP Analysis (§25048539438)

Domain	Blocked Count	Allowed Count	Block Rate	Category
(unknown)	38	0	100%	Unknown/Non-HTTPS
api.githubcopilot.com:443	0	39	0%	GitHub Copilot API
151.101.x.223:443	0	allowed	0%	Fastly CDN (GitHub)

• Total requests: 77 | Blocked: 38 (49.4%)

Daily Testify Uber Super Expert (§25051334166)

Domain	Blocked Count	Allowed Count	Block Rate	Category
(unknown)	24	0	100%	Unknown/Non-HTTPS
api.githubcopilot.com:443	0	29	0%	GitHub Copilot API

• Total requests: 53 | Blocked: 24 (45.3%)

Refactoring Cadence (§25051268692)

Domain	Blocked Count	Allowed Count	Block Rate	Category
proxy.golang.org:443	10	0	100%	Go Module Proxy
api.githubcopilot.com:443	0	7	0%	GitHub Copilot API

• Total requests: 17 | Blocked: 10 (58.8%)

AI Moderator (§25048405592, §25048957789)

Domain	Blocked Count	Allowed Count	Block Rate	Category
ab.chatgpt.com:443	2	0	100%	OpenAI/ChatGPT
chatgpt.com:443	2	0	100%	OpenAI/ChatGPT
api.githubcopilot.com:443	0	12	0%	GitHub Copilot API

• Total requests: 16 | Blocked: 4 (25.0%) — across 2 runs

Glossary Maintainer (§25048485748)

Domain	Blocked Count	Allowed Count	Block Rate	Category
(unknown)	1	0	100%	Unknown/Non-HTTPS

• Total requests: 66 | Blocked: 1 (1.5%)

Update Astro (§25049778455)

Domain	Blocked Count	Allowed Count	Block Rate	Category
(unknown)	1	0	100%	Unknown/Non-HTTPS

• Total requests: 38 | Blocked: 1 (2.6%)

View Complete Blocked Domains List

All unique blocked domains (alphabetical):

Domain	Total Blocks	Workflows
(unknown)	224	Daily Community Attribution Updater, Daily Syntax Error Quality Check, Daily Security Observability Report, Copilot PR Conversation NLP Analysis, Daily Testify Uber Super Expert, Glossary Maintainer, Update Astro
ab.chatgpt.com:443	2	AI Moderator
chatgpt.com:443	2	AI Moderator
proxy.golang.org:443	10	Refactoring Cadence

Security Recommendations

1. Investigate (unknown) blocked traffic — 224 blocks across 7 workflows are classified as (unknown). This is the most significant finding. These are likely HTTP/1.1 CONNECT tunneling attempts to non-HTTPS endpoints, or HTTP/3 (QUIC) traffic the proxy doesn't support. Consider enabling enhanced firewall logging or switching to a different traffic capture mechanism to identify the actual destinations.

2. Add proxy.golang.org to Refactoring Cadence — This workflow is attempting to access proxy.golang.org:443 for Go module downloads, which is blocked. Adding golang (or proxy.golang.org) to the workflow's network.allowed list would fix this:

   network:
     allowed:
       - golang  # Allows proxy.golang.org and sum.golang.org

3. AI Moderator blocking ChatGPT — The AI Moderator workflow is attempting to access chatgpt.com and ab.chatgpt.com. These are expected to be blocked (the workflow uses GitHub Copilot, not ChatGPT). No action needed unless these are intentional requests.

4. High block rates in Copilot-only workflows — Workflows like Daily Community Attribution Updater (38.9%), Daily Testify Uber Super Expert (45.3%), and Copilot PR Conversation NLP Analysis (49.4%) have very high block rates dominated by (unknown) traffic. Since these workflows only use api.githubcopilot.com, the (unknown) traffic is unexpected. This may indicate the Copilot CLI is making requests via a non-standard protocol that Squid cannot intercept.

5. Workflows with zero blocked traffic — 30 workflow runs had zero blocked requests. These are operating correctly within their network permissions.

References:

• §25051334166 — Daily Testify Uber Super Expert (latest, high block rate)
• §25049390898 — Daily Community Attribution Updater (highest block count)
• §25051268692 — Refactoring Cadence (proxy.golang.org blocked)

Generated by Daily Firewall Logs Collector and Reporter · ● 2.9M · ◷

• expires on May 1, 2026, 12:23 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Firewall Logs Collector and Reporter.

A newer discussion is available at Discussion #29106.