[plan] Fix workflow network allowlist gaps from 2026-04-03 firewall report

[github-actions]

Context

From the Daily Firewall Report - 2026-04-03, the firewall blocked 28 requests across 15 workflow runs. Several are legitimate allowlist gaps that need fixing.

Tasks

🔴 High Priority: Dependabot Dependency Checker

Add Go ecosystem domains to proxy.golang.org (5 blocks) and pkg.go.dev (1 block) are causing silent failures in Go dependency resolution.

File: The Dependabot Dependency Checker workflow markdown file (search for dependabot under .github/workflows/ or top-level *.md workflow files).

Update the network.allowed section:

network:
  allowed:
    - defaults
    - proxy.golang.org
    - sum.golang.org
    - pkg.go.dev

🟡 Medium Priority: Glossary Maintainer

nodejs.org (1 block) — the workflow fetches Node.js release metadata or downloads tooling. Add nodejs.org to its network allowlist if it is a legitimate dependency.

🟡 Medium Priority: GPL Dependency Cleaner

storage.googleapis.com (1 block) — used for downloading tools/packages. Add storage.googleapis.com to its allowlist if confirmed as a legitimate dependency.

🟡 Medium Priority: Investigate github.com vs .github.com policy gap

The Changeset Generator and AI Moderator workflows use a restricted custom allowlist that excludes github.com (bare) and api.github.com. The default policy allows *.github.com (subdomain wildcard) but not the bare github.com hostname.

• Check whether these workflows legitimately need direct github.com / api.github.com access.
• If yes, add explicit entries to their custom allowlists or switch to GitHub MCP toolsets.
• If not, document that these blocks are expected.

🧹 Low Priority: Cleanup unused regex rule

The allow-both-regex rule (matches *.jsr.io) had 0 hits today. If jsr.io is not actively used by any workflow, remove the regex rule to simplify the firewall policy.

Acceptance Criteria

• Dependabot workflow allowlist includes proxy.golang.org, sum.golang.org, pkg.go.dev
• Glossary Maintainer allowlist updated (or documented as intentional if nodejs.org access is not needed)
• GPL Dependency Cleaner allowlist updated (or documented if storage.googleapis.com is not needed)
• github.com / api.github.com gap investigated and resolved (either allowlist updated or behavior confirmed as expected)
• Unused allow-both-regex / *.jsr.io rule removed if confirmed unused

References

• Discussion: [daily-firewall-report] Daily Firewall Report - 2026-04-03 #24286
• Dependabot run: https://github.com/github/gh-aw/actions/runs/23941823622
• Changeset Generator run: https://github.com/github/gh-aw/actions/runs/23934285733
• Glossary Maintainer run: https://github.com/github/gh-aw/actions/runs/23942998940

Generated by Plan Command for issue #discussion #24286 · ● 140.4K · ◷

• expires on Apr 5, 2026, 1:44 PM UTC

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot coding agent.

The Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · ● 416K · ◷