Skip to content

Add proxy.golang.org and sum.golang.org to jsweep network allowlist#22603

Merged
pelikhan merged 2 commits intomainfrom
copilot/add-proxy-golang-org-allowlist
Mar 24, 2026
Merged

Add proxy.golang.org and sum.golang.org to jsweep network allowlist#22603
pelikhan merged 2 commits intomainfrom
copilot/add-proxy-golang-org-allowlist

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 24, 2026
edited
Loading

The jsweep workflow was failing due to 29 blocked outbound requests to proxy.golang.org:443, preventing Go module resolution during agent execution.

Changes

  • jsweep.md: Added network.allowed block with proxy.golang.org and sum.golang.org (Go checksum DB)
  • jsweep.lock.yml: Recompiled — both domains now present in --allow-domains for the containerized agent
network:
  allowed:
    - proxy.golang.org
    - sum.golang.org

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw OYSf1Wd6VEih (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 254736/b197/_pkggit AVNR/ggNdlJFZ_carev-parse .cfg git (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name heckout/git/ref/tags/v6 6211057/b436/stringutil.test /usr/bin/git t0 -buildtags (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git _.a @v1.1.3/base64/brev-parse x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha sistency_GoAndJavaScript2553972165/001/test-simple-frontmatter.md -buildtags /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build3556211057/b400/_pkg_.a -trimpath ache/node/24.14.0/x64/bin/node -p main -lang=go1.25 git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha rtcfg .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 254736/b179/_pkg_.a GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha env.NODE_VERSION x_amd64/vet /usr/bin/git _.a GO111MODULE x_amd64/vet git rev-�� --show-toplevel dx8vjli/alK5YuEv.github/workflows/test.md /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git st-171835096/.gigit 6211057/b180/vetrev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linu--json 86_64/node /tmp/go-build663git -trimpath /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -test.paniconexit0 -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git -C nt/action/git/ref/tags/v999.999.999 status /usr/bin/git .github/workflowgit GO111MODULE nch,headSha,disp--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/go-build3556211057/b445/timeutil.test -importcfg /usr/bin/git -s -w -buildmode=exe git rev-�� --show-toplevel -extld=gcc /usr/bin/git -json @v1.1.3/internalrev-parse x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/stringutil/identifiers.go /usr/bin/git se 6211057/b230/vetrev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git 2057-31940/test-git -trimpath ache/go/1.25.0/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json age/common.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json 1.4.1/internal/j-ifaceassert x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git -C /tmp/gh-aw-test-runs/20260324-052057-31940/test-1780149469 status /usr/bin/git .github/workflowgit GO111MODULE x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/TestHashConsistency_GoAndJavaScript2553972165/001/test-frontmatter-with-nested-objects.md x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --git-dir x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha 6211057/b433/sliceutil.test /tmp/go-build3556211057/b042/vet.cfg 6211057/b433/importcfg.link go1.25.0 -c=4 -nolocalimports 4vdN3eqAa1K0H/u1ogOOgsHoxcKHcseOEC/vKfaaJsUtRlxju1NbgiD/uvljh3C4vdN3eqAa1K0H -uns�� ithub-script/git/ref/tags/v8 /tmp/go-build3556211057/b222/vet.cfg 6211057/b433/_pkg_.a -mod=readonly -e 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha -unreachable=false /tmp/go-build3556211057/b083/vet.cfg 6211057/b361/vet.cfg go1.25.0 -c=4 -nolocalimports /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build3556211057/b239/vet.cfg 6211057/b436/stringutil.test /tmp/go-build292git -trimpath 64/bin/go 6211057/b436/stringutil.test (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha runs/20260324-052057-31940/test-885492670/.github/workflows /tmp/go-build3556211057/b104/vet.cfg 0/x64/bin/node l -c=4 -nolocalimports /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -has�� ithub/workflows/artifacts-summary.md /tmp/go-build3556211057/b228/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /tmp/go-build292git -trimpath 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 fMTeOyAsi x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env rtcfg .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE c12845038645685brev-parse GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 git /usr/bin/git user.email test@example.cominit /usr/bin/gh git estl�� --show-toplevel gh /usr/bin/git download 12345 /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/compile GOINSECURE go-sdk/internal/config GOMODCACHE x_amd64/compile rtcf�� xjry-XMFu 64/src/time/format.go 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 git x_amd64/vet --get remote.origin.ur/tmp/test-expr-3468658722.js /usr/bin/infocmpinputs.version x_amd64/vet rev-�� --show-toplevel infocmp n-dir/sh xterm-color x_amd64/vet /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 FBrfd97FY 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile estl�� g_.a GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 git x_amd64/vet --show-toplevel x_amd64/vet /usr/bin/git x_amd64/vet rev-�� --show-toplevel /usr/bin/git 86_64/sh -v x_amd64/vet /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 ipBU_UDMP x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env YFesNwKSb .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE %H %ct %D GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 git x_amd64/vet --git-dir x_amd64/vet /usr/bin/gh x_amd64/vet rev-�� --show-toplevel gh /usr/bin/git download 12346 /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 PZlisUvcs 64/pkg/tool/linux_amd64/vet GOINSECURE age GOMODCACHE 64/pkg/tool/linux_amd64/vet env _jk-OnU_6 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 -10 x_amd64/vet --show-toplevel x_amd64/vet /opt/hostedtoolc--show-toplevel x_amd64/vet rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu**/*.json /usr/bin/git -bool -buildtags /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 fJrNJ1ZO5 64/pkg/tool/linux_amd64/vet GOINSECURE gset GOMODCACHE 64/pkg/tool/linux_amd64/vet env RHWPMZAE3 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 git x_amd64/vet --show-toplevel x_amd64/vet /usr/bin/infocmp--show-toplevel x_amd64/vet rev-�� --show-toplevel infocmp ndor/bin/sh xterm-color x_amd64/vet /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 WfTa2tL3Z 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env rtcfg .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 node x_amd64/vet /home/REDACTED/worgit x_amd64/vet /usr/bin/infocmp--show-toplevel x_amd64/vet rev-�� --show-toplevel infocmp /usr/bin/git xterm-color x_amd64/vet /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 a20 GOMODCACHE 64/pkg/tool/linux_amd64/vet env rtcfg .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha GPG0zkgXx .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet rtcf�� 254736/b101/_pkg_.a .cfg x_amd64/compile GOINSECURE b/gh-aw/pkg/tty GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git e/git --show-toplevel -extld=gcc /usr/bin/git e/git rev-�� js/**/*.json' ---errorsas git /usr/bin/git --get remote.origin.ur-C /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json 4/arm64.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --show-toplevel git /usr/bin/git /tmp/gh-aw-test-/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet rev-parse /usr/bin/git git rev-�� js/**/*.json' ---errorsas git /opt/hostedtoolc-nilfunc --get remote.origin.ur-C /usr/bin/git /opt/hostedtoolcrev-parse (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel git modules/@npmcli/run-script/lib/node-gyp-bin/sh --show-toplevel x_amd64/asm /usr/bin/git git rev-�� js/**/*.json' ---errorsas git /home/REDACTED/wor-nilfunc user.name Test User /usr/bin/git node (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha 2-Jg8EAJx .cfg At,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet rtcf�� ithout_min-integrity351152002/001 g/stringutil/ansi.go 64/pkg/tool/linux_amd64/vet GOINSECURE l GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 18116978/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE /gc GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel x_amd64/vet /usr/bin/git git rev-�� --show-toplevel /usr/bin/git bin/node -v x_amd64/vet /usr/bin/git git (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json .go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git 6211057/b441/tesnpx -buildtags 6211057/b441/imp--write git rev-�� --show-toplevel 7JbrieQ94-F8q/4N--log-level=error /usr/bin/git s/test.md -tests 6211057/b441/_pk"prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' ---errorsas git (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build3556211057/b400/cli.test /tmp/go-build3556211057/b400/cli.test -test.testlogfile=/tmp/go-build3556211057/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /tmp/go-build1422916491/b400/cli.test /tmp/go-build1422916491/b400/cli.test -test.testlogfile=/tmp/go-build1422916491/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -bool (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git :latest -buildtags e/git git rev-�� ath ../../../.pr**/*.json e/git /usr/bin/git /tmp/gh-aw-test-sh config ache/node/24.14."prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' ---errorsas git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

Copilot AI linked an issue Mar 24, 2026 that may be closed by this pull request
[plan] Add proxy.golang.org to jsweep workflow firewall allowlist #22247
Closed
5 tasks
Copilot AI changed the title [WIP] Add proxy.golang.org to jsweep workflow firewall allowlist Add proxy.golang.org and sum.golang.org to jsweep network allowlist Mar 24, 2026
Copilot AI requested a review from pelikhan March 24, 2026 05:30
@pelikhan pelikhan marked this pull request as ready for review March 24, 2026 05:32
Copilot AI review requested due to automatic review settings March 24, 2026 05:32
@pelikhan pelikhan merged commit 03a3fdf into main Mar 24, 2026
50 checks passed
@pelikhan pelikhan deleted the copilot/add-proxy-golang-org-allowlist branch March 24, 2026 05:32
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the jsweep agentic workflow’s network allowlist to permit Go module resolution by allowing access to the Go module proxy and checksum database.

Changes:

  • Adds a network.allowed block to the jsweep workflow definition.
  • Regenerates the compiled lock workflow so the AWF --allow-domains list reflects the updated network configuration.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/jsweep.md Adds workflow-level network.allowed entries intended to unblock Go module fetches.
.github/workflows/jsweep.lock.yml Regenerated compiled workflow reflecting the new allowlist in metadata/env and AWF invocation.
Comments suppressed due to low confidence (1)

.github/workflows/jsweep.lock.yml:629

  • The regenerated --allow-domains list dropped many baseline defaults domains that appear in other workflows (e.g., archive.ubuntu.com, security.ubuntu.com, ocsp.*/crl.*; compare .github/workflows/artifacts-summary.lock.yml:577). This is a much broader behavioral change than “add Go module domains” and is likely caused by setting network.allowed without including defaults.

After adding defaults (and go) in the source .md, re-run gh aw compile so the lockfile retains the baseline allowlist while adding the Go domains.

          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --allow-domains "*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,bun.sh,cdn.jsdelivr.net,deb.nodesource.com,deno.land,esm.sh,get.pnpm.io,github.com,googleapis.deno.dev,googlechromelabs.github.io,host.docker.internal,jsr.io,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,proxy.golang.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,skimdb.npmjs.com,storage.googleapis.com,sum.golang.org,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.25.0 --skip-pull --enable-api-proxy \
            -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/jsweep.md
Comment on lines +36 to +37
- proxy.golang.org
- sum.golang.org
Copy link

Copilot AI Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

network.allowed is currently missing the defaults ecosystem. When network.allowed is set, defaults is no longer implicitly included, so this configuration drops baseline infrastructure domains (CA/OCSP/CRL, Ubuntu mirrors, JSON schema hosts) and can cause unrelated workflow/network failures.

Consider configuring this as ecosystem identifiers (e.g., defaults + go) instead of listing proxy.golang.org/sum.golang.org directly, so future Go-related domains stay covered automatically.

Suggested change
- proxy.golang.org
- sum.golang.org
- defaults
- go

Copilot uses AI. Check for mistakes.
.github/workflows/jsweep.lock.yml
GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
GH_AW_INFO_STAGED: "false"
GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]'
GH_AW_INFO_ALLOWED_DOMAINS: '["proxy.golang.org","sum.golang.org"]'
Copy link

Copilot AI Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This metadata now reports only ["proxy.golang.org","sum.golang.org"], which indicates the workflow frontmatter no longer includes defaults. That change removes baseline infrastructure domains from the computed firewall allowlist; recommend including defaults (and preferably go as an ecosystem identifier) in the frontmatter and re-compiling the lockfile so this reflects the intended configuration.

This issue also appears on line 628 of the same file.

Suggested change
GH_AW_INFO_ALLOWED_DOMAINS: '["proxy.golang.org","sum.golang.org"]'
GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","go","proxy.golang.org","sum.golang.org"]'

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Add proxy.golang.org to jsweep workflow firewall allowlist

3 participants

@pelikhan