Add Go proxy domains to CLI Consistency Checker network allowlist

[Copilot]

The CLI Consistency Checker workflow fails when running make build because the firewall blocks access to Go's module proxy servers, preventing Go 1.25.0 from downloading dependencies.

Changes

• Added proxy.golang.org and sum.golang.org to network.allowed in workflow frontmatter
• Recompiled workflow to propagate domains to awf firewall configuration

This follows the pattern established by other Go-building workflows (smoke-codex, dev, functional-pragmatist, gpclean).

network:
  allowed: [defaults, node, "api.github.com", "proxy.golang.org", "sum.golang.org"]

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[deep-report] Resolve CLI Consistency Checker Go 1.25.0 missing tool</issue_title>
<issue_description>### Description
Update the CLI Consistency Checker workflow to reliably access Go 1.25.0 (e.g., allowlist proxy.golang.org for that job or preinstall the toolchain). The audit report shows the workflow failing because Go 1.25.0 cannot be downloaded under current firewall rules.

Expected Impact

Eliminates the recurring missing-tool error and restores full coverage of CLI consistency checks.

Suggested Agent

Workflow maintenance agent

Estimated Effort

Medium (1-4 hours)

Data Source

DeepReport Intelligence Briefing - 2026-02-11 (audit report discussion #14959)

AI generated by DeepReport - Intelligence Gathering Agent

• expires on Feb 13, 2026, 3:36 PM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes [deep-report] Resolve CLI Consistency Checker Go 1.25.0 missing tool #14971

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

Updates the CLI Consistency Checker agentic workflow firewall allowlist so Go can fetch toolchain/modules via the Go module proxy endpoints during make build, resolving the reported “Go 1.25.0 missing tool” failures.

Changes:

• Allowlisted proxy.golang.org and sum.golang.org in the CLI Consistency Checker workflow frontmatter.
• Recompiled the workflow so the generated lock file propagates the updated allowlist into AWF firewall configuration.
• Includes additional generated lockfile diffs in other workflows (rate-limit env var) as a side-effect of recompilation.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/cli-consistency-checker.md	Adds Go proxy + checksum domains to network.allowed frontmatter.
.github/workflows/cli-consistency-checker.lock.yml	Propagates the new domains into generated allowed_domains and AWF --allow-domains lists.
.github/workflows/workflow-generator.lock.yml	Generated lockfile change adding GH_AW_RATE_LIMIT_IGNORED_ROLES env var.
.github/workflows/example-custom-error-patterns.lock.yml	Generated lockfile change adding GH_AW_RATE_LIMIT_IGNORED_ROLES env var.
.github/workflows/auto-triage-issues.lock.yml	Generated lockfile change adding GH_AW_RATE_LIMIT_IGNORED_ROLES env var.
.github/workflows/ai-moderator.lock.yml	Generated lockfile change adding GH_AW_RATE_LIMIT_IGNORED_ROLES env var.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This PR is scoped/described as a CLI Consistency Checker firewall allowlist change, but the recompile also introduces GH_AW_RATE_LIMIT_IGNORED_ROLES in this (and other) workflows’ generated lock files. Since it’s unrelated to the Go proxy allowlist and appears behavior-neutral (matches the default), consider either reverting these unrelated lockfile diffs to keep the PR focused, or explicitly calling out this additional generated change in the PR description/title so reviewers understand why multiple workflows changed.