diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index d3c9ca108a3..5638cef4181 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -42,7 +42,7 @@ # - shared/mood.md # - shared/reporting.md # -# frontmatter-hash: a6921a13bb643abf9ba88fb54707b78ce0984ca06e486e3ddc30fc3a824293b2 +# frontmatter-hash: 0b3a36033c9a5a9f012dcaaadda443842af75df8d790b2999c8be7eb89bdfae6 name: "MCP Inspector Agent" "on": @@ -233,7 +233,7 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - allowed_domains: ["defaults","containers","node","cdn.jsdelivr.net","fonts.googleapis.com","fonts.gstatic.com"], + allowed_domains: ["defaults","containers","node","node-cdns","fonts"], firewall_enabled: true, awf_version: "v0.19.0", awmg_version: "v0.1.4", diff --git a/.github/workflows/mcp-inspector.md b/.github/workflows/mcp-inspector.md index 07543a8c15d..6f78897ccaa 100644 --- a/.github/workflows/mcp-inspector.md +++ b/.github/workflows/mcp-inspector.md @@ -14,9 +14,8 @@ network: - defaults - containers - node - - "cdn.jsdelivr.net" # npm package CDN - - "fonts.googleapis.com" # Google Fonts API - - "fonts.gstatic.com" # Google Fonts static content + - node-cdns + - fonts sandbox: agent: awf # Firewall enabled (migrated from network.firewall) safe-outputs: diff --git a/pkg/workflow/data/ecosystem_domains.json b/pkg/workflow/data/ecosystem_domains.json index 72ac6eaf944..fa94451216d 100644 --- a/pkg/workflow/data/ecosystem_domains.json +++ b/pkg/workflow/data/ecosystem_domains.json @@ -55,6 +55,7 @@ "oneocsp.microsoft.com" ], "dart": ["pub.dev", "pub.dartlang.org"], + "fonts": ["fonts.googleapis.com", "fonts.gstatic.com"], "github": [ "*.githubusercontent.com", "raw.githubusercontent.com", @@ -134,6 +135,7 @@ "*.jsr.io", "registry.bower.io" ], + "node-cdns": ["cdn.jsdelivr.net"], "perl": ["cpan.org", "www.cpan.org", "metacpan.org", "cpan.metacpan.org"], "php": ["repo.packagist.org", "packagist.org", "getcomposer.org"], "playwright": ["playwright.download.prss.microsoft.com", "cdn.playwright.dev"], diff --git a/pkg/workflow/domains_test.go b/pkg/workflow/domains_test.go index 2d99a108d86..548194f2834 100644 --- a/pkg/workflow/domains_test.go +++ b/pkg/workflow/domains_test.go @@ -42,6 +42,25 @@ func TestGetDomainEcosystem(t *testing.T) { expected: "containers", }, + // Fonts ecosystem + { + name: "fonts ecosystem - fonts.googleapis.com", + domain: "fonts.googleapis.com", + expected: "fonts", + }, + { + name: "fonts ecosystem - fonts.gstatic.com", + domain: "fonts.gstatic.com", + expected: "fonts", + }, + + // Node CDNs ecosystem + { + name: "node-cdns ecosystem - cdn.jsdelivr.net", + domain: "cdn.jsdelivr.net", + expected: "node-cdns", + }, + // Container ecosystem wildcard matches { name: "containers ecosystem - docker.io subdomain", @@ -467,6 +486,21 @@ func TestGetAllowedDomains_VariousCombinations(t *testing.T) { allowed: []string{"defaults", "node", "containers"}, expectContains: []string{"json-schema.org", "registry.npmjs.org", "ghcr.io", "registry.hub.docker.com"}, }, + { + name: "fonts ecosystem", + allowed: []string{"fonts"}, + expectContains: []string{"fonts.googleapis.com", "fonts.gstatic.com"}, + }, + { + name: "node-cdns ecosystem", + allowed: []string{"node-cdns"}, + expectContains: []string{"cdn.jsdelivr.net"}, + }, + { + name: "node + node-cdns ecosystems", + allowed: []string{"node", "node-cdns"}, + expectContains: []string{"registry.npmjs.org", "cdn.jsdelivr.net"}, + }, { name: "single literal domain", allowed: []string{"example.com"},