Daily Firewall Report - 2026-04-01

[github-actions[bot]]

This report covers all agentic workflow runs with the network firewall enabled for the period up to 2026-04-01. Data was collected from squid proxy audit logs across 33 firewall-enabled workflow runs.

The firewall is operating effectively: 97.5% of real network requests were allowed while 2.5% were blocked. Five workflows triggered blocked requests, with the most activity coming from Dependabot Dependency Checker (blocked Go proxy access) and Changeset Generator (blocked ChatGPT/GitHub domains). These findings suggest targeted allowlist additions rather than systemic issues.

---

📊 Key Metrics

Metric	Value
🔍 Workflow Runs Analyzed	33
📡 Total Network Requests	1,138 (real requests)
✅ Allowed Requests	1,110 (97.5%)
🚫 Blocked Requests	28 (2.5%)
🌐 Unique Blocked Domains	8
⚠️ Runs with Blocked Traffic	5 of 33

Firewall version: v0.25.6 (squid proxy) — active on all analyzed runs

---

🚫 Top Blocked Domains

Domain	🚫 Blocks	Category	Workflows
proxy.golang.org	10	Go Package Registry	Dependabot Dependency Checker
ab.chatgpt.com	7	AI Services	Changeset Generator
github.com	5	GitHub (allowlist gap)	Changeset Generator
chatgpt.com	2	AI Services	Smoke Codex, Changeset Generator
api.github.com	1	GitHub (allowlist gap)	Changeset Generator
codeload.github.com	1	GitHub (allowlist gap)	Changeset Generator
release-assets.githubusercontent.com	1	GitHub CDN	CI Cleaner
nodejs.org	1	Node.js Registry	Glossary Maintainer

---

📈 Firewall Activity Trends

Request Patterns (Hourly — 2026-04-01 UTC)

Peak blocked traffic occurred in the 05:00–09:00 UTC window, driven by the Changeset Generator and Dependabot Dependency Checker runs. The 11:00 UTC batch saw 8 runs with zero blocked requests, indicating good network hygiene in newer workflows.

Top Blocked Domains

proxy.golang.org dominates blocked traffic (36% of all blocks) — a clear sign that Dependabot Dependency Checker needs Go proxy access added to its network allowlist. ChatGPT domains represent intentional blocks (AI model access restriction working as designed).

---

View Detailed Request Patterns by Workflow

Workflow: Smoke Codex (1 run)

Domain	Blocked	Allowed	Notes
chatgpt.com:443	1	0	AI service — blocked by design
api.openai.com:443	0	13	✅ OpenAI API allowed
github.com:443	0	1	✅ GitHub allowed

• Total allowed requests: 14
• Total blocked: 1 (7.1% block rate)
• Run: §23833156240

---

Workflow: Changeset Generator (1 run)

Domain	Blocked	Allowed	Notes
ab.chatgpt.com:443	7	0	ChatGPT analytics/AB — AI restriction
github.com:443	5	8	⚠️ Partial blocking — allowlist gap
chatgpt.com:443	1	0	AI service — blocked by design
api.github.com:443	1	0	⚠️ Missing from allowlist
codeload.github.com:443	1	1	⚠️ Partial — allowlist gap
proxy.golang.org:443	0	7	✅ Go proxy allowed
storage.googleapis.com:443	0	5	✅ GCS allowed
registry.npmjs.org:443	0	4	✅ npm allowed

• Total allowed: 25, Total blocked: 15 (37.5% block rate)
• This workflow has the most serious allowlist gaps — GitHub domains are being partially blocked
• Run: §23833156302

---

Workflow: CI Cleaner (1 run)

Domain	Blocked	Allowed	Notes
release-assets.githubusercontent.com:443	1	0	GitHub CDN — not in allowlist
proxy.golang.org:443	0	12	✅ Go proxy allowed
registry.npmjs.org:443	0	10	✅ npm allowed
sum.golang.org:443	0	7	✅ Go sum allowed
storage.googleapis.com:443	0	1	✅ GCS allowed

• Total allowed: 112, Total blocked: 1 (0.9% block rate)
• Run: §23835205602

---

Workflow: Dependabot Dependency Checker (1 run)

Domain	Blocked	Allowed	Notes
proxy.golang.org:443	10	10	⚠️ Partially allowed — inconsistent behavior
registry.npmjs.org:443	0	19	✅ npm allowed

• Total allowed: 29, Total blocked: 10 (25.6% block rate)
• The Go proxy is partially in the allowlist but getting denied intermittently
• Run: §23841895291

---

Workflow: Glossary Maintainer (1 run)

Domain	Blocked	Allowed	Notes
nodejs.org:443	1	0	Node.js official site — not in allowlist
api.githubcopilot.com:443	0	34	✅ Copilot API allowed
registry.npmjs.org:443	0	15	✅ npm allowed

• Total allowed: 49, Total blocked: 1 (2.0% block rate)
• Run: §23843783508

View Complete Blocked Domains List

Alphabetically sorted list of all unique blocked domains:

Domain	Total Blocks	Date	Workflows
ab.chatgpt.com	7	2026-04-01	Changeset Generator
api.github.com	1	2026-04-01	Changeset Generator
chatgpt.com	2	2026-04-01	Changeset Generator, Smoke Codex
codeload.github.com	1	2026-04-01	Changeset Generator
github.com	5	2026-04-01	Changeset Generator
nodejs.org	1	2026-04-01	Glossary Maintainer
proxy.golang.org	10	2026-04-01	Dependabot Dependency Checker
release-assets.githubusercontent.com	1	2026-04-01	CI Cleaner

---

✅ Allowed Domains (for reference)

Domain	Total Requests	Used By
api.githubcopilot.com	746	20 workflows
api.anthropic.com	221	9 workflows
registry.npmjs.org	57	5 workflows
proxy.golang.org	42	3 workflows
api.openai.com	13	2 workflows
raw.githubusercontent.com	9	2 workflows
github.com	8	3 workflows
sum.golang.org	7	2 workflows
storage.googleapis.com	6	3 workflows
codeload.github.com	1	1 workflow

---

🎯 Security Recommendations

🔴 High Priority

1. Changeset Generator — Fix GitHub allowlist gaps

   • api.github.com, codeload.github.com, and github.com are being partially blocked in this workflow
   • The github allowlist preset should cover these, but the workflow may not be using it
   • Action: Verify the workflow uses allowed: [defaults, github] in its network config

2. Dependabot Dependency Checker — Add golang to network allowlist

   • proxy.golang.org is being intermittently blocked (10 blocks, 10 allowed in same run)
   • This likely causes dependency resolution failures
   • Action: Add golang or proxy.golang.org to the workflow's network.allowed list

🟡 Medium Priority

3. CI Cleaner — Add release-assets.githubusercontent.com

   • GitHub release asset downloads are blocked — likely preventing downloading CI tool binaries
   • Action: Add release-assets.githubusercontent.com to the network.allowed list or use the github preset

4. Glossary Maintainer — Add nodejs.org

   • The official Node.js site is blocked — possibly needed for version checking or download
   • Action: Add nodejs.org to network.allowed in the workflow frontmatter

🟢 Working as Intended

5. ChatGPT/OpenAI domains being blocked — chatgpt.com and ab.chatgpt.com being blocked in Smoke Codex and Changeset Generator workflows is expected behavior. These are external AI services that should not be accessible from agentic workflows (which have their own model APIs configured).

---

References:

• Changeset Generator run §23833156302
• Dependabot Dependency Checker run §23841895291
• CI Cleaner run §23835205602

AI generated by Daily Firewall Logs Collector and Reporter · history

• expires on Apr 4, 2026, 12:03 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Firewall Logs Collector and Reporter.

A newer discussion is available at Discussion #24087.