[q] fix(code-simplifier): allow Go module proxy domains in network config #18207
Description
Problem
The code-simplifier workflow was blocked from running go build, go test, and make lint because proxy.golang.org was not in the network allowlist.
Evidence from PR #18197 (run #22365564592):
⚠️ Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
proxy.golang.org
Changes
Added a network.allowed block to .github/workflows/code-simplifier.md:
network:
allowed:
- "proxy.golang.org" # Go module proxy (go get, go build, go test)
- "sum.golang.org" # Checksum database (go mod verify)
- "storage.googleapis.com" # Backing store for proxy.golang.orgValidation
- ✅
code-simplifier.mdcompiled successfully with no errors or warnings
References
- Blocked run: https://github.com/github/gh-aw/actions/runs/22365564592
- PR with firewall evidence: [code-simplifier] refactor: extract execGHAPI helper in checks_command (#18164) #18197
- Triggered by: @pelikhan via
/q update code simplifier with network go domain
🎩 Equipped by Q
- expires on Feb 26, 2026, 8:30 PM UTC
Note
This was originally intended as a pull request, but the git push operation failed.
Workflow Run: View run details and download patch artifact
The patch file is available in the agent-artifacts artifact in the workflow run linked above.
To apply the patch locally:
# Download the artifact from the workflow run https://github.com/github/gh-aw/actions/runs/22368647195
# (Use GitHub MCP tools if gh CLI is not available)
gh run download 22368647195 -n agent-artifacts -D /tmp/agent-artifacts-22368647195
# The patch file will be at agent-artifacts/tmp/gh-aw/aw-q-code-simplifier-go-network.patch after download
# Apply the patch (--3way handles cross-repo patches where files may already exist)
git am --3way /tmp/agent-artifacts-22368647195/aw-q-code-simplifier-go-network.patchShow patch preview (77 of 77 lines)
From e80469d32adde757c052749a4723a960ffb1f457 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 24 Feb 2026 20:28:14 +0000
Subject: [PATCH] fix(code-simplifier): allow Go module proxy domains in
network config
Adds network access for proxy.golang.org, sum.golang.org, and
storage.googleapis.com so the workflow can run go build/test/lint
without firewall blocks (as seen in run #22365564592 / PR #18197).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
.github/workflows/code-simplifier.lock.yml | 8 ++++----
.github/workflows/code-simplifier.md | 6 ++++++
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml
index c2e87df..5b7f3c7 100644
--- a/.github/workflows/code-simplifier.lock.yml
+++ b/.github/workflows/code-simplifier.lock.yml
@@ -27,7 +27,7 @@
# Imports:
# - shared/reporting.md
#
-# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f20363e19346c33ebd23b72cadb046203ed01d40c2a747c4590bb413606a0244"}
+# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"6b79622d431a791446a3e59c0343ec2c1b27aa4e02ee9aea206ce3c5b1ec88f5"}
name: "Code Simplifier"
"on":
@@ -318,7 +318,7 @@ jobs:
actor: context.actor,
event_name: context.eventName,
staged: false,
- allowed_domains: ["defaults"],
+ allowed_domains: ["proxy.golang.org","sum.golang.org","storage.googleapis.com"],
firewall_enabled: true,
awf_version: "v0.20.2",
awmg_version: "v0.1.5",
@@ -684,7 +684,7 @@ jobs:
timeout-minutes: 30
run: |
set -o pipefail
- sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githu
... (truncated)