Skip to content

Expand Java ecosystem allowlist for firewall-enabled workflows #12400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mossaka merged 4 commits into from
Jan 29, 2026
Merged

Expand Java ecosystem allowlist for firewall-enabled workflows #12400

Mossaka merged 4 commits into from
Jan 29, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 29, 2026
edited
Loading

Java workflows were blocked when fetching tooling (Maven/Gradle/JDK) because key CDN and discovery domains were missing from the java network profile.

  • Network allowlist: Added Apache CDN/archive (dlcdn.apache.org, archive.apache.org), Java downloads (download.java.net), Foojay Disco API (api.foojay.io), and Azul CDN (cdn.azul.com) to pkg/workflow/data/ecosystem_domains.json.
  • Coverage: Extended the Java ecosystem test to assert the new domains are included in allowed lists.

Example (network excerpt):

"java": [
  "repo.maven.apache.org",
  "services.gradle.org",
  "download.oracle.com",
  "dlcdn.apache.org",
  "archive.apache.org",
  "download.java.net",
  "api.foojay.io",
  "cdn.azul.com"
]
Original prompt

This section details on the original issue you should resolve

<issue_title>Add missing domains to Java ecosystem profile</issue_title>
<issue_description>## Summary

While testing agentic workflows on popular Java OSS repositories (gson, commons-lang, caffeine), several domains required for Java development were blocked by the firewall. These domains should be added to the java ecosystem profile in pkg/workflow/data/ecosystem_domains.json.

Blocked Domains Discovered

Domain Purpose Blocked In
dlcdn.apache.org Apache download CDN for Maven/tools gson, commons-lang
archive.apache.org Apache archive for older releases gson
download.java.net Java downloads caffeine
api.foojay.io Foojay Disco API for Java toolchain discovery (used by Gradle toolchains plugin) caffeine

Context

When running agentic workflows with the java ecosystem profile enabled, agents that need to download Java tooling (JDK, Maven, Gradle) often fail because:

  1. Apache CDN domains - Maven and other Apache tools are distributed via dlcdn.apache.org and archive.apache.org, which are not in the current Java profile
  2. Java.net downloads - Some Java distributions and tools are hosted on download.java.net
  3. Foojay API - The Foojay Disco API (api.foojay.io) is used by Gradle's toolchain auto-provisioning feature to discover and download JDKs

Current Java Profile

"java": [
  "www.java.com",
  "jdk.java.net",
  "api.adoptium.net",
  "adoptium.net",
  "repo.maven.apache.org",
  "maven.apache.org",
  "repo1.maven.org",
  "maven.pkg.github.com",
  "maven.oracle.com",
  "repo.spring.io",
  "gradle.org",
  "services.gradle.org",
  "plugins.gradle.org",
  "plugins-artifacts.gradle.org",
  "repo.grails.org",
  "download.eclipse.org",
  "download.oracle.com",
  "jcenter.bintray.com"
]

Proposed Additions

"java": [
  // ... existing domains ...
  "dlcdn.apache.org",
  "archive.apache.org", 
  "download.java.net",
  "api.foojay.io",
  "cdn.azul.com"  // Azul Zulu JDK downloads (commonly used alternative JDK)
]

Test Repositories

Reproduction

  1. Create an agentic workflow with java in the allowed network list: 
    network:
  firewall: true
  allowed:
    - defaults
    - github
    - java
  2. Run a workflow that needs to download Maven or configure Gradle toolchains
  3. Observe blocked domain errors in firewall logs

Evidence

Firewall access logs showing blocked requests:

TCP_DENIED dlcdn.apache.org:443
TCP_DENIED archive.apache.org:443
TCP_DENIED download.java.net:443
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits January 29, 2026 00:34
@Mossaka
chore: plan domain additions for java profile
ee2d268 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
@Mossaka
feat: expand java ecosystem allowed domains
746ace5 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Jan 29, 2026
Closed
Copilot AI changed the title [WIP] Add missing domains to Java ecosystem profile Expand Java ecosystem allowlist for firewall-enabled workflows Jan 29, 2026
Copilot AI requested a review from Mossaka January 29, 2026 00:44
@Mossaka Mossaka marked this pull request as ready for review January 29, 2026 01:16
@github-actions
Copy link
Contributor

github-actions bot commented Jan 29, 2026

🔍 PR Triage Results

Category: chore | Risk: low | Priority: 45/100

Scores Breakdown

  • Impact: 20/50 - Infrastructure/tooling update
  • Urgency: 15/30 - 0 days old, 0 comments
  • Quality: 10/20 - Description: good, CI: unknown

📋 Recommended Action: batch_review

Medium-priority PR suitable for batch processing

Batch: This PR is part of the firewall-config batch along with #12399. Consider reviewing both PRs together for efficient processing.

Triaged by PR Triage Agent on 2026-01-29

AI generated by PR Triage Agent

@github-actions github-actions bot mentioned this pull request Jan 29, 2026
Merged
@github-actions
Copy link
Contributor

github-actions bot commented Jan 29, 2026

🔍 PR Triage Results

Category: bug | Risk: medium | Priority: 45/100

Scores Breakdown

  • Impact: 35/50 - Bug fixes have higher impact
  • Urgency: 0/30 - Age: 0 days, Ready for review
  • Quality: 10/20 - Acceptable quality

📋 Recommended Action: batch_review

This PR can be reviewed as part of a batch with similar PRs to improve efficiency.

Triaged by PR Triage Agent on 2026-01-29

AI generated by PR Triage Agent

@Mossaka Mossaka merged commit 9ef4b52 into main Jan 29, 2026
56 checks passed
@Mossaka Mossaka deleted the copilot/add-missing-domains-java-profile branch January 29, 2026 23:03
@github-actions github-actions bot mentioned this pull request Jan 30, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mossaka Mossaka Awaiting requested review from Mossaka

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

pr-action:batch_review pr-action:batch-review pr-agent:copilot pr-batch:firewall-config pr-priority:medium pr-risk:low pr-risk:medium pr-type:bug pr-type:chore

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add missing domains to Java ecosystem profile

2 participants

@Mossaka