Configure Copilot Agent Firewall for Dependency Installer

[josecelano]

Overview

Configure GitHub Copilot agent's firewall to allow network access to domains required by the dependency installer binaries. The Copilot agent environment has a restricted firewall that blocks access to external domains by default.

Problem Statement

When GitHub Copilot agent attempts to install dependencies using the dependency-installer binary, network requests are blocked by the agent's firewall:

$ cargo run -p torrust-dependency-installer --bin dependency-installer -- install --dependency opentofu
2025-11-05T19:46:23.668278Z ERROR torrust_dependency_installer::app: Command failed error=Install command failed: Failed to install specific dependency: Installation failed: Failed to install dependency 'opentofu': Failed to download installer: curl: (6) Could not resolve host: get.opentofu.org

This prevents the agent from installing OpenTofu and running pre-commit checks.

Required Configuration

Domain to Whitelist: opentofu.org

• Allows traffic to opentofu.org and all subdomains (e.g., get.opentofu.org)
• Required for OpenTofu installer script and package downloads

Already Covered by Recommended Allowlist:

• Ubuntu/Debian package repositories (for Ansible)
• Rust package registry/crates.io (for cargo-machete)
• Snap store (for LXD)

Implementation Steps

Phase 1: Repository Settings Configuration (15-30 min)

Prerequisites: Repository admin access required

1. Navigate to: Settings → Copilot → coding agent
2. Verify Enable firewall is ON
3. Verify Recommended allowlist is ON
4. Click Custom allowlist
5. Add domain: opentofu.org
6. Click Add Rule → Save changes

Phase 2: Documentation (15-30 min)

• Create docs/contributing/copilot-agent-firewall.md
• Document configured domains and rationale
• Document configuration steps
• Update related documentation

Phase 3: Verification (15-30 min)

• Test OpenTofu installation in Copilot agent
• Verify no firewall warnings appear
• Update documentation if needed

Total Estimate: 45 minutes - 1.5 hours

Acceptance Criteria

Configuration:

• opentofu.org added to custom allowlist
• Recommended allowlist remains enabled
• Firewall remains enabled

Documentation:

• New doc: docs/contributing/copilot-agent-firewall.md
• Includes all configured domains with rationale
• Includes step-by-step instructions
• Links to GitHub documentation

Verification:

• Copilot agent can install OpenTofu successfully
• No firewall warnings for configured domains
• Pre-commit checks pass

Related Documentation

• GitHub Docs: Customizing the agent firewall
• Dependency Installer Package

Notes

⚠️ Requires Manual Implementation: This issue cannot be implemented by Copilot agent because it requires repository admin access to modify settings. Must be done manually by a repository administrator.

Security: Keep firewall and recommended allowlist enabled. Only add specific required domains (minimal whitelist approach).

Specification

Full specification: docs/issues/configure-copilot-agent-firewall-for-dependency-installer.md

[josecelano]

✅ Phase 1 Complete: Repository Settings Configured

The Copilot agent firewall has been configured with the required domain:

Custom Allowlist Configuration:

• ✅ Added domain: opentofu.org
  • This allows traffic to opentofu.org and all subdomains (e.g., get.opentofu.org)
• ✅ Firewall remains enabled
• ✅ Recommended allowlist remains enabled

Next Steps:

• Phase 2: Create documentation (docs/contributing/copilot-agent-firewall.md)
• Phase 3: Verify OpenTofu installation works in Copilot agent environment

Configuration completed by: Repository administrator
Date: November 5, 2025