Overview
Configure GitHub Copilot agent's firewall to allow network access to domains required by the dependency installer binaries. The Copilot agent environment has a restricted firewall that blocks access to external domains by default.
Problem Statement
When GitHub Copilot agent attempts to install dependencies using the dependency-installer binary, network requests are blocked by the agent's firewall:
$ cargo run -p torrust-dependency-installer --bin dependency-installer -- install --dependency opentofu
2025-11-05T19:46:23.668278Z ERROR torrust_dependency_installer::app: Command failed error=Install command failed: Failed to install specific dependency: Installation failed: Failed to install dependency 'opentofu': Failed to download installer: curl: (6) Could not resolve host: get.opentofu.org
This prevents the agent from installing OpenTofu and running pre-commit checks.
Required Configuration
Domain to Whitelist: opentofu.org
- Allows traffic to
opentofu.org and all subdomains (e.g., get.opentofu.org)
- Required for OpenTofu installer script and package downloads
Already Covered by Recommended Allowlist:
- Ubuntu/Debian package repositories (for Ansible)
- Rust package registry/crates.io (for cargo-machete)
- Snap store (for LXD)
Implementation Steps
Phase 1: Repository Settings Configuration (15-30 min)
Prerequisites: Repository admin access required
- Navigate to:
Settings → Copilot → coding agent
- Verify Enable firewall is ON
- Verify Recommended allowlist is ON
- Click Custom allowlist
- Add domain:
opentofu.org
- Click Add Rule → Save changes
Phase 2: Documentation (15-30 min)
- Create
docs/contributing/copilot-agent-firewall.md
- Document configured domains and rationale
- Document configuration steps
- Update related documentation
Phase 3: Verification (15-30 min)
- Test OpenTofu installation in Copilot agent
- Verify no firewall warnings appear
- Update documentation if needed
Total Estimate: 45 minutes - 1.5 hours
Acceptance Criteria
Configuration:
Documentation:
Verification:
Related Documentation
Notes
⚠️ Requires Manual Implementation: This issue cannot be implemented by Copilot agent because it requires repository admin access to modify settings. Must be done manually by a repository administrator.
Security: Keep firewall and recommended allowlist enabled. Only add specific required domains (minimal whitelist approach).
Specification
Full specification: docs/issues/configure-copilot-agent-firewall-for-dependency-installer.md
Overview
Configure GitHub Copilot agent's firewall to allow network access to domains required by the dependency installer binaries. The Copilot agent environment has a restricted firewall that blocks access to external domains by default.
Problem Statement
When GitHub Copilot agent attempts to install dependencies using the
dependency-installerbinary, network requests are blocked by the agent's firewall:This prevents the agent from installing OpenTofu and running pre-commit checks.
Required Configuration
Domain to Whitelist:
opentofu.orgopentofu.organd all subdomains (e.g.,get.opentofu.org)Already Covered by Recommended Allowlist:
Implementation Steps
Phase 1: Repository Settings Configuration (15-30 min)
Prerequisites: Repository admin access required
Settings→Copilot→coding agentopentofu.orgPhase 2: Documentation (15-30 min)
docs/contributing/copilot-agent-firewall.mdPhase 3: Verification (15-30 min)
Total Estimate: 45 minutes - 1.5 hours
Acceptance Criteria
Configuration:
opentofu.orgadded to custom allowlistDocumentation:
docs/contributing/copilot-agent-firewall.mdVerification:
Related Documentation
Notes
Security: Keep firewall and recommended allowlist enabled. Only add specific required domains (minimal whitelist approach).
Specification
Full specification: docs/issues/configure-copilot-agent-firewall-for-dependency-installer.md