Suggest tools.github.mode: gh-proxy when api.github.com is firewall-blocked

[Copilot]

When the sandbox firewall blocks api.github.com, the alert in the agent issue/comment body should steer users toward tools.github.mode: gh-proxy rather than blindly adding api.github.com to network.allowed.

Changes

• firewall_blocked_domains.cjs — generateBlockedDomainsSection now detects api.github.com in the blocked list and injects a tip before the network.allowed snippet:

  💡 Tip: `api.github.com` is blocked because GitHub API access uses the built-in GitHub tools by default.
  Instead of adding `api.github.com` to `network.allowed`, use `tools.github.mode: gh-proxy`...
  

  Includes a YAML example and a link to the GitHub Tools docs.

• firewall_blocked_domains.test.cjs — Three new cases: api.github.com alone, mixed with other blocked domains, and absent (no tip shown).

[pelikhan]

@copilot move text into markdown template in actions/setup/md and use render template function helper

[Copilot]

Done in 2eb2067. Created actions/setup/md/firewall_blocked_domains.md with {key} placeholders for all dynamic content, and updated generateBlockedDomainsSection to use renderTemplateFromFile from messages_core.cjs. Tests pass the source-tree template path explicitly via an optional second parameter.

[pelikhan]

@copilot move this tip to template file as well

[Copilot]

Done in 4e3a6c9. The tip text now lives in firewall_blocked_domains.md inside a {{#if {has_github_api_blocked}}}...{{/if}} block. The JS passes has_github_api_blocked: "true"/"false" to renderTemplateFromFile, then chains renderMarkdownTemplate for the conditional pass (isTruthy("false") === false per the template engine's explicit check).

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 100/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	5
✅ Design tests (behavioral contracts)	5 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	5 (100%)
Duplicate test clusters	0
Test inflation detected	No (ratio: 1.36×)
🚨 Coding-guideline violations	None

---

Test Classification Details

Test	File	Classification	Issues Detected
should use destIpPort as fallback when domain is placeholder	firewall_blocked_domains.test.cjs	✅ Design	None
should filter out internal Squid error entries (::1 client, -:- destination)	firewall_blocked_domains.test.cjs	✅ Design	None
should suggest gh-proxy mode when api.github.com is blocked	firewall_blocked_domains.test.cjs	✅ Design	None
should suggest gh-proxy mode when api.github.com is among other blocked domains	firewall_blocked_domains.test.cjs	✅ Design	None
should not suggest gh-proxy mode when api.github.com is not blocked	firewall_blocked_domains.test.cjs	✅ Design	None

---

Flagged Tests — Requires Review

None. All new tests are high-quality behavioral tests.

---

Language Support

Tests analyzed:

• 🟨 JavaScript (*.test.cjs): 5 tests (vitest)

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%).

All five new tests assert on observable return values and cover important behavioral contracts: iptables-dropped traffic fallback, Squid internal error filtering, gh-proxy suggestion when api.github.com is blocked (positive, combined, and negative cases). Each test also exercises error/edge paths (null/empty inputs, non-existent directories, placeholder domain handling).

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24898168106

🧪 Test quality analysis by Test Quality Sentinel · ● 729.8K · ◷

[github-actions]

✅ Test Quality Sentinel: 100/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 5 new tests verify behavioral contracts with real assertions on observable outputs and solid edge-case coverage.

[Copilot]

Pull request overview

Updates the firewall-blocked-domains warning to give targeted guidance when api.github.com is blocked, steering users toward GitHub Tools gh-proxy mode instead of adding the GitHub API domain to network.allowed.

Changes:

• Adds a conditional “gh-proxy” tip when api.github.com appears in the blocked domain list.
• Refactors generateBlockedDomainsSection to render from a Markdown template with placeholder substitution + conditional processing.
• Extends test coverage with cases for api.github.com present/absent.

Show a summary per file

File	Description
actions/setup/md/firewall_blocked_domains.md	Adds templated warning content and conditional gh-proxy tip when GitHub API is blocked.
actions/setup/js/firewall_blocked_domains.cjs	Switches blocked-domain section generation to template rendering and adds api.github.com detection.
actions/setup/js/firewall_blocked_domains.test.cjs	Adds/updates tests to validate the new tip behavior and template-based rendering.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 4

[Copilot]

The {domain_list} placeholder line ends with an extra > ({domain_list}>), which will render an unintended standalone blockquote marker after the bullet list. Remove the trailing > so the rendered warning block doesn’t include a spurious > line.

Suggested change

	{domain_list}>
	{domain_list}

[Copilot]

The YAML list placeholder and the closing code fence are currently on the same template line ({yaml_network_list}> ````). This is fragile and can produce malformed Markdown depending on whether the placeholder expansion ends with a newline. Put {yaml_network_list}on its own line and keep the closing> ``` on the next line (and remove any stray>` after the placeholder) so the fenced block is always well-formed.

Suggested change

	{yaml_network_list}> ```
	{yaml_network_list}
	> ```

[Copilot]

The JSDoc still says this function generates an “HTML details/summary section”, but the implementation now renders a Markdown warning alert from a template. Update the description to match the actual output to avoid confusing future maintainers.

See below for a potential fix:

 * Renders a Markdown GitHub warning alert for blocked domains from a template
 * @param {string[]} blockedDomains - Array of blocked domain names (expected to be pre-sanitized via getBlockedDomains)
 * @param {string} [templatePath] - Optional path to template file (defaults to RUNNER_TEMP/gh-aw/prompts/firewall_blocked_domains.md)
 * @returns {string} Rendered Markdown warning alert, or empty string if no blocked domains

[Copilot]

Template path resolution here doesn’t honor the existing GH_AW_PROMPTS_DIR override that other prompt-rendering code uses (e.g., actions/setup/js/comment_memory.cjs:24 and actions/setup/js/gateway_difc_filtered.cjs:128). To keep behavior consistent (and make testing/overrides work uniformly), consider resolving promptsDir via process.env.GH_AW_PROMPTS_DIR || ${process.env.RUNNER_TEMP}/gh-aw/prompts`` when templatePath isn’t provided.

Suggested change

	// Resolve template path: explicit > RUNNER_TEMP (production) > source tree (local dev/test)
	let resolvedTemplatePath = templatePath;
	if (!resolvedTemplatePath) {
	resolvedTemplatePath = process.env.RUNNER_TEMP ? `${process.env.RUNNER_TEMP}/gh-aw/prompts/firewall_blocked_domains.md` : path.join(__dirname, "../md/firewall_blocked_domains.md");
	// Resolve template path: explicit > GH_AW_PROMPTS_DIR override > RUNNER_TEMP (production) > source tree (local dev/test)
	let resolvedTemplatePath = templatePath;
	if (!resolvedTemplatePath) {
	const promptsDir =
	process.env.GH_AW_PROMPTS_DIR ||
	(process.env.RUNNER_TEMP && `${process.env.RUNNER_TEMP}/gh-aw/prompts`);
	resolvedTemplatePath = promptsDir
	? path.join(promptsDir, "firewall_blocked_domains.md")
	: path.join(__dirname, "../md/firewall_blocked_domains.md");