[Build-Test v6] Missing ecosystem domains blocking 35+ repos across 10 languages #21627
Description
Summary
The v6 build-test experiment (March 17, 2026) tested 248 repos across 35 language categories. Domain allowlisting gaps are the #1 fixable blocker, affecting 35+ repos across 10 languages. Fixing these could recover ~21+ repo builds with minimal code changes — just adding domains to pkg/workflow/data/ecosystem_domains.json.
Missing Domains by Priority
🔴 Critical — Complete language shutdown or major regression
| Domain(s) | Ecosystem | Add To | Repos Affected | Expected Impact |
|---|---|---|---|---|
maven.pkg.jetbrains.space |
Kotlin | kotlin |
kotlinx.coroutines, ktor, moshi (81 reqs blocked for coroutines alone) | 0% → ~60-80% build — Kotlin is at 0% in v6, down from 60% in v5 |
develocity.apache.org, scans-in.gradle.com, ge.spockframework.org |
Groovy/Java (Gradle Enterprise) | java |
spock, nebula-project-plugin, grails-core | 25% → ~100% Groovy build |
caffeine.gradle-enterprise.cloud |
Java (Gradle Enterprise) | java |
caffeine (40,600 tests in v5!) | Java regression fix — was working in v5 |
scala.jfrog.io |
Scala | scala |
gitbucket, playframework, zio | 40% → ~80% Scala build |
🟡 High — New languages blocked at <40% build rate
| Domain(s) | Ecosystem | Add To | Repos Affected | Expected Impact |
|---|---|---|---|---|
opam.ocaml.org |
OCaml | ocaml |
ocaml-re, angstrom, ppxlib, dream (4/5 repos) | 20% → ~100% build |
cloud.r-project.org, cran.r-project.org |
R | r |
cli, rlang, stringr, lubridate (4/5 repos) | 20% → ~80% build |
| Hackage CDN/mirror sub-domains | Haskell | haskell |
megaparsec, optparse-applicative, hspec (3/5 repos) | 40% → ~80% build |
Note on OCaml, R, and Haskell: The domains
opam.ocaml.org,cloud.r-project.org/cran.r-project.org, and*.hackage.haskell.orgalready exist inecosystem_domains.jsonas of the currentmainbranch. The v6 failures may indicate: (a) these were added after the v0.60.0 release used in v6, (b) the workflow.mdfiles don't specify the correct ecosystem in theirnetwork.allowedlist, or (c) wildcard matching isn't working for sub-domains. Action needed: verify the workflow files reference the correct ecosystems, and re-test with the latest gh-aw to confirm these are resolved.
🟢 Medium — Individual repo fixes
| Domain(s) | Ecosystem | Add To | Repos Affected | Expected Impact |
|---|---|---|---|---|
powershellgallery.com |
PowerShell | new powershell ecosystem or dotnet |
PSScriptAnalyzer | 80% → 100% PowerShell build |
www.googleapis.com |
Google APIs | defaults or per-ecosystem |
dagger (Java), rules_python (Bazel) | 2 repos unblocked |
deps.files.ghostty.org |
Zig | zig |
ghostty | 1 repo unblocked |
| CloudFront distribution domain (TBD) | Kotlin | kotlin |
ktor | 1 repo — need to identify exact *.cloudfront.net domain |
pypi.org, files.pythonhosted.org |
Bazel+Python | bazel (cross-ref python) |
rules_python | Bazel repo needs Python package domains |
Evidence
All data sourced from the v6 experiment report, specifically:
- Section 4.3: "New Blocked Domains (v6-specific)" — lists domains discovered via Squid proxy deny logs
- Section 3.12: Kotlin at 0% build with 81 requests blocked to
maven.pkg.jetbrains.space - Section 3.14: Groovy at 25% build — 3/4 repos blocked by Gradle enterprise domains
- Section 3.32: OCaml at 20% build — 4/5 repos blocked
- Section 3.27: R at 20% build — 4/5 repos stuck on package downloads
- Section 3.28: Haskell at 40% build — 3/5 repos blocked by Hackage sub-domains
Current State of ecosystem_domains.json
The ecosystem domain definitions live in pkg/workflow/data/ecosystem_domains.json. Current relevant entries:
| Ecosystem | Current Domains | What's Missing |
|---|---|---|
kotlin |
ge.jetbrains.com, packages.jetbrains.team, kotlin.bintray.com |
maven.pkg.jetbrains.space, CloudFront CDN |
java |
23 domains (Maven, Gradle, Adoptium, etc.) | Gradle Enterprise: develocity.apache.org, scans-in.gradle.com, *.gradle-enterprise.cloud |
scala |
repo.scala-sbt.org, scala-ci.typesafe.com, repo.typesafe.com, jitpack.io, dl.bintray.com |
scala.jfrog.io |
ocaml |
opam.ocaml.org, ocaml.org, erratique.ch |
✅ Already present — verify workflow configs |
r |
cloud.r-project.org, cran.r-project.org, cran.rstudio.com, r-project.org |
✅ Already present — verify workflow configs |
haskell |
haskell.org, *.hackage.haskell.org, get-ghcup.haskell.org, downloads.haskell.org |
Verify wildcard matching covers CDN/mirrors |
zig |
ziglang.org, pkg.machengine.org |
deps.files.ghostty.org |
| (none) | — | powershellgallery.com (new ecosystem needed) |
Suggested Implementation
-
Add missing domains to
ecosystem_domains.json:kotlin: addmaven.pkg.jetbrains.spacejava: adddevelocity.apache.org,scans-in.gradle.com,*.gradle-enterprise.cloudscala: addscala.jfrog.iozig: adddeps.files.ghostty.org- New
powershellecosystem:powershellgallery.com,www.powershellgallery.com
-
Verify workflow configs for OCaml, R, Haskell repos — ensure
network.allowedincludes the correct ecosystem identifier -
Consider adding
www.googleapis.comtodefaultsor a newgoogleecosystem (used by multiple languages) -
Re-run affected repos after domain additions to validate fixes
Total Projected Impact
| Priority | Repos Fixable | Languages Improved |
|---|---|---|
| Critical | ~12 repos | Kotlin (0%→60-80%), Groovy (25%→100%), Scala (40%→80%), Java (+1) |
| High | ~11 repos | OCaml (20%→100%), R (20%→80%), Haskell (40%→80%) |
| Medium | ~6 repos | PowerShell (80%→100%), Zig (+1), Bazel (+1), Java (+1) |
| Total | ~29 repos | 10 languages |
Data from v6 experiment (gh-aw v0.60.0, 248 repos, 35 languages, March 17 2026)