Expand language ecosystem inference for network.allowed in create-agentic-workflow prompt

[Copilot]

The create-agentic-workflow prompt was telling agents to ask the user about network.allowed configuration, and its ecosystem-to-file indicator mappings lacked explicit domain names and some common indicators (.nvmrc, setup.cfg, uv.lock).

Changes

• Auto-infer instead of ask: Changed "explicitly ask about configuring network: allowlist" to "automatically infer from repository language files; only ask if context is insufficient"
• Explicit domain mappings: Each ecosystem entry now shows which registries are enabled, so agents understand what they're allowing:
  • node → enables registry.npmjs.org
  • python → enables pypi.org, files.pythonhosted.org
  • go → enables proxy.golang.org, sum.golang.org
  • ruby → enables rubygems.org
• Expanded file indicators:
  • Node.js: added .nvmrc
  • Python: added setup.cfg, uv.lock
• Both the detailed guidance section and the quick-reference checklist section were updated consistently

Example

A workflow for a Python repo with pyproject.toml should now automatically produce:

network:
  allowed:
    - defaults
    - python   # pypi.org, files.pythonhosted.org

without requiring the user to mention the stack.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Expand language ecosystem inference for network.allowed in create-agentic-workflow prompt</issue_title>
<issue_description>## Objective

Improve language/ecosystem inference in the create-agentic-workflow prompt so the agent automatically adds the correct package registry domains to network.allowed based on detected stack indicators, without requiring explicit user prompting.

Context

From Agent Persona Exploration discussion github/gh-aw#18250, the agent sometimes needs explicit prompting to add the right ecosystem to network.allowed (e.g., registry.npmjs.org for Node, pypi.org for Python, proxy.golang.org for Go). It relies on the user mentioning the stack rather than inferring it from context clues.

Approach

1. Locate the create-agentic-workflow prompt/skill
2. Expand the language indicator list with explicit mappings:
   • Node.js / npm: detect package.json, .nvmrc, node_modules → registry.npmjs.org
   • Python / pip: detect requirements.txt, pyproject.toml, setup.py → pypi.org, files.pythonhosted.org
   • Go: detect go.mod, go.sum → proxy.golang.org, sum.golang.org
   • Ruby: detect Gemfile → rubygems.org
3. Add prompt guidance: "If running tests or installing packages, infer the ecosystem from the repository's language files and add the appropriate registries to network.allowed"
4. This complements the existing network permission guidance

Files to Modify

• Update: the create-agentic-workflow prompt/skill with expanded language inference indicators

Acceptance Criteria

• Prompt includes explicit ecosystem → network domain mappings
• Agent infers package registry from repo language indicators without user prompting
• Agent correctly suggests network.allowed entries for all major ecosystems (Node, Python, Go, Ruby)

Generated by Plan Command for issue #discussion #18250

• expires on Feb 27, 2026, 4:46 AM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Expand language ecosystem inference for network.allowed in create-agentic-workflow prompt #18262

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

Updates the create-agentic-workflow authoring prompt to have agents infer network.allowed ecosystem entries from repository file indicators (instead of prompting the user), and expands the indicator lists with more common language/tooling files plus clearer registry/domain guidance.

Changes:

• Switches guidance from “ask the user about network: allowlist” to “infer ecosystem from repo files; only ask if insufficient context”.
• Adds explicit ecosystem → registry/domain notes for Node, Python, Go, and Ruby.
• Expands language indicator lists (e.g., .nvmrc, setup.cfg, uv.lock) in both the detailed guidance and the quick-reference checklist.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The added domain callouts look incomplete/inaccurate compared to the canonical ecosystem/domain mapping in .github/aw/github-agentic-workflows.md (see table around lines 1528-1537). In particular, python mentions “pip/conda” but only lists PyPI domains (conda uses conda.anaconda.org, etc.), and node/go/ruby omit other key domains listed there. Suggest either (a) switch these parentheticals to “e.g.” and avoid implying exhaustiveness, and/or (b) align the listed domains with the table (including conda/yarn/pkg.go.dev where appropriate).

See below for a potential fix:

     - `requirements.txt`, `pyproject.toml`, `setup.py`, `setup.cfg`, `Pipfile`, `uv.lock` → add `python` (enables package indexes for pip/conda, e.g., `pypi.org`, `files.pythonhosted.org`, `conda.anaconda.org`)
     - `package.json`, `.nvmrc`, `yarn.lock`, `pnpm-lock.yaml` → add `node` (enables npm ecosystem registries, e.g., `registry.npmjs.org`, `registry.yarnpkg.com` for npm/yarn/pnpm)
     - `go.mod`, `go.sum` → add `go` (enables Go module endpoints, e.g., `proxy.golang.org`, `sum.golang.org`, `pkg.go.dev` for module downloads)
     - `pom.xml`, `build.gradle`, `build.gradle.kts` → add `java` (for Maven/Gradle)
     - `Gemfile`, `*.gemspec` → add `ruby` (enables RubyGems endpoints, e.g., `rubygems.org` for Bundler/RubyGems)

[Copilot]

This quick-reference indicator list is now inconsistent with the earlier “Key indicators” list above: it adds uv.lock but omits setup.cfg, and it adds .nvmrc but omits pnpm-lock.yaml (and Pipfile / *.gemspec consistency is mixed). If the intent is to keep both sections aligned (as described in the PR), consider updating this checklist list to match the indicators you just added earlier.

See below for a potential fix:

     - `requirements.txt`/`pyproject.toml`/`setup.py`/`setup.cfg`/`Pipfile` → `network: { allowed: [defaults, python] }` (enables `pypi.org`, `files.pythonhosted.org`)
     - `package.json`/`pnpm-lock.yaml`/`yarn.lock` → `network: { allowed: [defaults, node] }` (enables `registry.npmjs.org`)
     - `go.mod`/`go.sum` → `network: { allowed: [defaults, go] }` (enables `proxy.golang.org`, `sum.golang.org`)
     - `pom.xml`/`build.gradle` → `network: { allowed: [defaults, java] }` (Maven/Gradle)
     - `Gemfile` → `network: { allowed: [defaults, ruby] }` (enables `rubygems.org`)

[Copilot]

List indentation appears inconsistent here (- bullets at 196-198 vs the newly added bullets starting at 199). The extra leading space before - ⚠️ ... (and subsequent bullets) may render as a deeper nested list level in some Markdown parsers. Suggest normalizing indentation so all bullets under “Interact and Clarify” are at the same nesting level.

Suggested change

	- If the user says “campaign”, “KPI”, “pacing”, “cadence”, or “stop-after”, consult `.github/aw/campaign.md` (it’s still an agentic workflow; this is just a pattern).
	- If the user says “campaign”, “KPI”, “pacing”, “cadence”, or “stop-after”, consult `.github/aw/campaign.md` (it’s still an agentic workflow; this is just a pattern).