Network Access Configuration

April 21, 2026 · View on GitHub

Use the network frontmatter field to control which domains an AI engine can reach during a workflow run. All traffic is enforced by the Agent Workflow Firewall (AWF).

Quick Reference

# Shorthand — use default infrastructure domains only
network: defaults

# Custom — allow defaults plus package registries for a Node.js project
network:
  allowed:
    - defaults
    - node

# Custom — allow specific external APIs
network:
  allowed:
    - defaults
    - api.example.com
    - "*.trusted-partner.com"

# No network access
network:
  allowed: []

Valid Values for network.allowed

Each entry in network.allowed must be one of:

TypeExamplesNotes
Ecosystem identifierdefaults, node, pythonExpands to a curated list of domains for that runtime/tool
Exact domainapi.example.com, registry.npmjs.orgMust be a fully-qualified domain name (FQDN)
Wildcard subdomain*.example.comMatches sub.example.com, deep.nested.example.com, and example.com itself

⚠️ Bare shorthands like npm, pypi, or localhost are NOT valid unless they are listed in the ecosystem identifiers table below. Using an unrecognised single-word entry causes a compile-time error. Use ecosystem identifiers (node, python) or explicit FQDNs (registry.npmjs.org, pypi.org) instead.

Ecosystem Identifiers

These keywords expand to curated lists of domains maintained by gh-aw:

IdentifierRuntime / ToolKey Domains Enabled
defaultsBasic infrastructureCertificate authorities, Ubuntu package verification, JSON schema
githubGitHub domains*.githubusercontent.com, codeload.github.com, docs.github.com
github-actionsGitHub Actions artifactsAzure Blob storage for action caches and artifacts
nodenpm / yarn / pnpmregistry.npmjs.org, npmjs.com, yarnpkg.com
pythonpip / PyPI / condapypi.org, files.pythonhosted.org, pip.pypa.io
goGo modulesproxy.golang.org, sum.golang.org, go.dev
dotnetNuGet / .NETapi.nuget.org, nuget.org, dotnet.microsoft.com
javaMaven / Gradlerepo1.maven.org, plugins.gradle.org, jdk.java.net
rubyBundler / RubyGemsrubygems.org, api.rubygems.org
rustCargocrates.io, index.crates.io, static.crates.io, sh.rustup.rs
swiftSwift Package Managerswift.org, cocoapods.org
phpComposer / Packagistpackagist.org, repo.packagist.org, getcomposer.org
dartpub.devpub.dev, pub.dartlang.org
haskellHackage / GHCup*.hackage.haskell.org, get-ghcup.haskell.org
perlCPANcpan.org, metacpan.org
containersDocker / GHCRghcr.io, registry.hub.docker.com, *.docker.io
playwrightPlaywright browsersplaywright.download.prss.microsoft.com, cdn.playwright.dev
linux-distrosapt / yum / apkdeb.debian.org, security.debian.org, Ubuntu/Alpine mirrors
terraformHashiCorpreleases.hashicorp.com, registry.terraform.io
localLoopback addresses127.0.0.1, ::1, localhost
bazelBazel buildreleases.bazel.build, bcr.bazel.build
clojureClojure / Clojarsclojars.org, repo.clojars.org
denoDeno / JSRdeno.land, jsr.io
elixirHex.pmhex.pm, repo.hex.pm
fontsGoogle Fontsfonts.googleapis.com, fonts.gstatic.com
juliaJulia packagespkg.julialang.org, julialang.org
kotlinKotlin / JetBrainspackages.jetbrains.team
luaLuaRocksluarocks.org
node-cdnsJS CDNscdn.jsdelivr.net, code.jquery.com, unpkg.com
ocamlOPAMopam.ocaml.org, ocaml.org
powershellPowerShell Gallerypowershellgallery.com
rCRANcran.r-project.org, cloud.r-project.org
scalasbt / Scalarepo.scala-sbt.org, repo1.maven.org
zigZig packagesziglang.org
dev-toolsCI/CD toolsRenovate, Codecov, shields.io, and other dev tooling
chromeChrome / Chromium*.googleapis.com, *.gvt1.com

Invalid Shorthands

These values look like ecosystem identifiers but are not recognised — using them in network.allowed causes a compile-time error:

Invalid valueWhat you probably meantCorrect value
npmnpm registrynode
pypiPython Package Indexpython
pippip package managerpython
cargoRust crate registryrust
gem or gemsRubyGemsruby
nugetNuGet package registrydotnet
mavenMaven Centraljava
gradleGradle pluginsjava
composerPHP Composerphp
dockerDocker Hub / GHCRcontainers
localhostLoopback interfacelocal

Domain Pattern Rules

  • Wildcard * requires a dot prefix: *.example.com is valid; bare * is blocked (and rejected outright in strict mode).
  • Protocol prefix is not supported: https://api.example.com is not a valid entry — omit the scheme and write api.example.com.
  • Subdomains must be explicit: github.com does not cover api.github.com; use *.github.com or add both entries.

Inferring the Right Ecosystem From Repository Files

When a workflow builds, tests, or installs packages, always add the matching ecosystem alongside defaults:

File indicatorsEcosystem to addEnables
package.json, yarn.lock, pnpm-lock.yaml, .nvmrcnoderegistry.npmjs.org
requirements.txt, pyproject.toml, uv.lock, Pipfilepythonpypi.org, files.pythonhosted.org
go.mod, go.sumgoproxy.golang.org, sum.golang.org
*.csproj, *.sln, *.slnxdotnetapi.nuget.org
pom.xml, build.gradlejavarepo1.maven.org
Gemfile, *.gemspecrubyrubygems.org
Cargo.tomlrustcrates.io
Package.swiftswiftswift.org
composer.jsonphppackagist.org
pubspec.yamldartpub.dev

⚠️ network: defaults alone is never sufficient for code workflowsdefaults covers basic infrastructure (certificate authorities, Ubuntu verification) but cannot reach package registries. Always add the language ecosystem identifier.

Common Patterns

Workflow that reads GitHub data only

network:
  allowed:
    - defaults
    - github

Node.js CI workflow

network:
  allowed:
    - defaults
    - node

Multi-language project

network:
  allowed:
    - defaults
    - node
    - python

Calling an external API

network:
  allowed:
    - defaults
    - api.myservice.com
    - "*.myservice.com"

No outbound network access

network:
  allowed: []