docs: [#147] Document GitHub Copilot agent firewall configuration

[Copilot]

Phase 1 (repository settings) was completed by admin: opentofu.org added to custom allowlist to unblock OpenTofu installer. This PR completes Phase 2 (documentation) and Phase 3 (verification).

Changes

Created docs/contributing/copilot-agent-firewall.md

Comprehensive reference for firewall configuration:

• Current configuration: custom domain (opentofu.org) and recommended allowlist status
• Admin instructions: step-by-step configuration walkthrough
• Domain vs URL rules: when to use each allowlist type
• Security: best practices, limitations, minimal whitelist approach
• Maintenance: adding domains, troubleshooting DNS/connection errors
• History: configuration change tracking table

Updated cross-references

• docs/contributing/README.md: Added firewall doc to quick reference table
• packages/dependency-installer/README.md: Added "GitHub Copilot Agent Requirements" section linking to firewall configuration

Context

Without opentofu.org in allowlist:

$ cargo run --bin dependency-installer install --dependency opentofu
ERROR: curl: (6) Could not resolve host: get.opentofu.org

With configuration complete, OpenTofu installer can download from get.opentofu.org and install successfully. Other dependencies (Ansible, cargo-machete, LXD) covered by recommended allowlist.

Closes #147

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Configure Copilot Agent Firewall for Dependency Installer</issue_title>
<issue_description>## Overview

Configure GitHub Copilot agent's firewall to allow network access to domains required by the dependency installer binaries. The Copilot agent environment has a restricted firewall that blocks access to external domains by default.

Problem Statement

When GitHub Copilot agent attempts to install dependencies using the dependency-installer binary, network requests are blocked by the agent's firewall:

$ cargo run -p torrust-dependency-installer --bin dependency-installer -- install --dependency opentofu
2025-11-05T19:46:23.668278Z ERROR torrust_dependency_installer::app: Command failed error=Install command failed: Failed to install specific dependency: Installation failed: Failed to install dependency 'opentofu': Failed to download installer: curl: (6) Could not resolve host: get.opentofu.org

This prevents the agent from installing OpenTofu and running pre-commit checks.

Required Configuration

Domain to Whitelist: opentofu.org

• Allows traffic to opentofu.org and all subdomains (e.g., get.opentofu.org)
• Required for OpenTofu installer script and package downloads

Already Covered by Recommended Allowlist:

• Ubuntu/Debian package repositories (for Ansible)
• Rust package registry/crates.io (for cargo-machete)
• Snap store (for LXD)

Implementation Steps

Phase 1: Repository Settings Configuration (15-30 min)

Prerequisites: Repository admin access required

1. Navigate to: Settings → Copilot → coding agent
2. Verify Enable firewall is ON
3. Verify Recommended allowlist is ON
4. Click Custom allowlist
5. Add domain: opentofu.org
6. Click Add Rule → Save changes

Phase 2: Documentation (15-30 min)

• Create docs/contributing/copilot-agent-firewall.md
• Document configured domains and rationale
• Document configuration steps
• Update related documentation

Phase 3: Verification (15-30 min)

• Test OpenTofu installation in Copilot agent
• Verify no firewall warnings appear
• Update documentation if needed

Total Estimate: 45 minutes - 1.5 hours

Acceptance Criteria

Configuration:

• opentofu.org added to custom allowlist
• Recommended allowlist remains enabled
• Firewall remains enabled

Documentation:

• New doc: docs/contributing/copilot-agent-firewall.md
• Includes all configured domains with rationale
• Includes step-by-step instructions
• Links to GitHub documentation

Verification:

• Copilot agent can install OpenTofu successfully
• No firewall warnings for configured domains
• Pre-commit checks pass

Related Documentation

• GitHub Docs: Customizing the agent firewall
• Dependency Installer Package

Notes

⚠️ Requires Manual Implementation: This issue cannot be implemented by Copilot agent because it requires repository admin access to modify settings. Must be done manually by a repository administrator.

Security: Keep firewall and recommended allowlist enabled. Only add specific required domains (minimal whitelist approach).

Specification

Full specification: docs/issues/configure-copilot-agent-firewall-for-dependency-installer.md</issue_description>

Comments on the Issue (you are @copilot in this section)

@josecelano ## ✅ Phase 1 Complete: Repository Settings Configured

The Copilot agent firewall has been configured with the required domain:

Custom Allowlist Configuration:

• ✅ Added domain: opentofu.org
  • This allows traffic to opentofu.org and all subdomains (e.g., get.opentofu.org)
• ✅ Firewall remains enabled
• ✅ Recommended allowlist remains enabled

Next Steps:

• Phase 2: Create documentation (docs/contributing/copilot-agent-firewall.md)
• Phase 3: Verify OpenTofu installation works in Copilot agent environment

Configuration completed by: Repository administrator
Date: November 5, 2025</comment_new>

• Fixes Configure Copilot Agent Firewall for Dependency Installer #147

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[josecelano]

ACK d790707