Document network ecosystem identifiers for package registries and CDNs

[Copilot]

The existing ecosystem domain system (python, node, go, containers, etc.) already includes all major package registries and CDNs, but lacked documentation and practical examples. Users experiencing firewall denials didn't know how to properly configure network allowlists.

New Documentation

Network Configuration Guide (docs/src/content/docs/guides/network-configuration.md):

• Quick-start examples for common tech stacks (Python/PyPI, Node.js/npm, Go modules, Docker registries)
• Multi-language project patterns combining multiple ecosystems
• Troubleshooting guide for identifying and resolving firewall denials using gh aw logs output
• Security best practices: start minimal, use ecosystem identifiers over individual domains

Example Workflows:

• examples/network-python-project.md - PyPI package analysis
• examples/network-node-project.md - npm package analysis
• examples/network-multi-language.md - Multi-ecosystem project

Usage Pattern

network:
  allowed:
    - defaults     # Certificates, Ubuntu mirrors
    - python       # pypi.org, files.pythonhosted.org, conda
    - node         # registry.npmjs.org, yarnpkg.com, bun.sh
    - containers   # registry.hub.docker.com, ghcr.io, quay.io

Each ecosystem identifier expands to 5-30 domains. See ecosystem_domains.json for complete domain lists.

Documentation Updates

• Cross-referenced network.md reference documentation to the new guide
• Added firewall denial troubleshooting section to common-issues.md
• Updated examples README with network configuration pointers

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Add package registry and CDN allowlists to firewall configuration</issue_title>
<issue_description>## Objective

Add commonly-used package registries and CDNs to the firewall allowlist to reduce legitimate request denials while maintaining security.

Context

The Firewall Report (referenced in discussion #7407) shows frequent blocks of CDN and registry domains. Workflows legitimately need access to npm, PyPI, Docker Hub, and common CDNs for package installation and dependency resolution.

Approach

1. Review firewall denial logs to identify legitimate package registry and CDN domains
2. Create a standard allowlist for common registries:
   • registry.npmjs.org (npm)
   • pypi.org, files.pythonhosted.org (PyPI)
   • registry.hub.docker.com (Docker Hub)
   • Common CDNs used by these services
3. Document the allowlist in workflow configuration documentation
4. Recommend workflows include these in their network.allowed configuration
5. Consider creating a reusable network config snippet

Files to Create/Modify

• Documentation file explaining standard network allowlists
• Example workflow showing proper network configuration
• Possibly: Shared YAML anchor or template for common network configs

Example Configuration

network:
  allowed:
    - "registry.npmjs.org"
    - "pypi.org"
    - "files.pythonhosted.org"
    - "registry.hub.docker.com"

Acceptance Criteria

• Standard allowlist documented
• Example configurations provided
• Workflows updated to use allowlists where needed
• Firewall denial rate decreases for legitimate registry access
• No security regressions (overly broad allowlists)

Expected Impact

• Reduces firewall denial rate for legitimate operations
• Standardizes network configuration across workflows
• Enables proper dependency installation
• Maintains security posture
  Related to [plan] Address DeepReport Intelligence Briefing findings (Dec 23, 2025) #7410

AI generated by Plan Command for discussion #7407

Comments on the Issue (you are @copilot in this section)

@pelikhan See existing sets python, node, go ,...

• Fixes [plan] Add package registry and CDN allowlists to firewall configuration #7415

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.