Skip to content

feat: add missing ecosystem domains for Deno, Java, and Python#16903

Merged
Mossaka merged 4 commits intomainfrom
feat/add-missing-ecosystem-domains
Feb 19, 2026
Merged

feat: add missing ecosystem domains for Deno, Java, and Python#16903
Mossaka merged 4 commits intomainfrom
feat/add-missing-ecosystem-domains

Conversation

@Mossaka
Copy link
Copy Markdown
Collaborator

@Mossaka Mossaka commented Feb 19, 2026

Summary

  • Add missing Deno CDN domains (esm.sh, cdn.jsdelivr.net, googleapis.deno.dev, googlechromelabs.github.io) to the node ecosystem — 5/10 Deno projects were blocked in the v4 build/test experiment
  • Add additional Java repository domains (central.sonatype.com, maven.google.com, dl.google.com, repo.gradle.org) to the java ecosystem
  • Add Rust registry domains (crates.io, index.crates.io, static.crates.io) to the python ecosystem for Python packages with Rust FFI dependencies (e.g. pydantic-core)

Context

The v4 build/test experiment (Feb 19, 2026) tested 98 repos across 10 languages. Key failures:

  • Deno: 5/10 projects failed due to missing CDN domains (esm.sh, cdn.jsdelivr.net)
  • Python/pydantic: Failed because crates.io was not in the Python allowlist (pydantic-core requires Rust compilation)
  • Java: Additional repository domains needed beyond what was already in the allowlist

Note: cdn.jsdelivr.net was already in the separate node-cdns ecosystem but was not included when workflows specify just node. It's now in both for completeness.

Test plan

  • Updated ecosystem_domains_test.go with new test assertions for Java, Node/Deno, and Python ecosystem domains
  • Added new test case python ecosystem includes Rust FFI domains for native packages
  • All ecosystem domain tests pass (go test ./pkg/workflow/ -run TestEcosystemDomain)

🤖 Generated with Claude Code

@Mossaka @claude
feat: add missing ecosystem domains for Deno, Java, and Python
d3ba3f2 
Add domains discovered missing in the v4 build/test experiment (Feb 19, 2026):

- Node/Deno: esm.sh, cdn.jsdelivr.net, googleapis.deno.dev,
  googlechromelabs.github.io (5/10 Deno projects were blocked)
- Java: central.sonatype.com, maven.google.com, dl.google.com,
  repo.gradle.org (additional Maven/Gradle repositories)
- Python: crates.io, index.crates.io, static.crates.io
  (Rust FFI deps like pydantic-core need Rust registry access)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings February 19, 2026 19:47
@Mossaka @claude
fix(domains): add missing firewall domains for Java, Deno/Node, and P…
dcc1a8e 
…ython ecosystems

From the v4 build/test experiment, several ecosystems were missing domains
that caused build failures:

Java ecosystem (was 1/8 success rate):
- central.sonatype.com (Maven snapshots/publishing)
- maven.google.com and dl.google.com (Google Maven repository)
- repo.gradle.org (Gradle plugin/dependency repository)

Node ecosystem (covers Deno via runtimeToEcosystem["deno"]="node"):
- esm.sh (ESM CDN imports, commonly used in Deno projects)
- googleapis.deno.dev (Google APIs for Deno)
- googlechromelabs.github.io (Chromium/Puppeteer binary downloads)

Python ecosystem:
- crates.io, index.crates.io, static.crates.io (Rust registry, required
  for building native extensions like pydantic-core via pip)

Update golden test fixtures and add test cases for new domains.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Expands the ecosystem domain allowlists to unblock builds that require additional Deno/CDN, Java repository, and Rust-registry access (via Python native/Rust-FFI packages).

Changes:

  • Added additional Java repository/tooling domains to the java ecosystem.
  • Added Deno-related CDN/domains (including jsdelivr) to the node ecosystem for Deno workflows.
  • Added Rust registry domains to the python ecosystem and extended tests to assert their inclusion.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

File Description
pkg/workflow/data/ecosystem_domains.json Extends allowlisted domains for java, node (Deno/CDNs), and python (Rust registry access).
pkg/workflow/ecosystem_domains_test.go Adds/extends assertions to validate the new domains are included for the relevant ecosystems.
Comments suppressed due to low confidence (1)

pkg/workflow/data/ecosystem_domains.json:165

  • Adding Rust registry domains (crates.io, index.crates.io, static.crates.io) to the python ecosystem introduces overlap with the existing rust ecosystem. With the current GetDomainEcosystem implementation (map iteration), any code that tries to classify a domain into a single ecosystem (notably strict-mode suggestions) can become nondeterministic for these domains. If the overlap is intentional, GetDomainEcosystem should be updated to use a deterministic ecosystem order / priority (or otherwise handle multi-ecosystem domains explicitly).
    "index.crates.io",
    "static.crates.io"
  ],

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/workflow/data/ecosystem_domains.json
Comment on lines +141 to 144
"esm.sh",
"googleapis.deno.dev",
"googlechromelabs.github.io"
],
Copy link

Copilot AI Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding cdn.jsdelivr.net to the node ecosystem creates an overlap with the existing node-cdns ecosystem. GetDomainEcosystem currently iterates over a Go map (for ecosystem := range ecosystemDomains), so when a domain exists in multiple ecosystems the returned ecosystem becomes nondeterministic (and can break/flap tests like TestGetDomainEcosystem which expects cdn.jsdelivr.netnode-cdns, and can also make strict-mode ecosystem suggestions unstable). Consider either (a) keeping cdn.jsdelivr.net in only one ecosystem, or (b) making GetDomainEcosystem deterministic by iterating ecosystems in a fixed priority order and explicitly preferring node-cdns over node for this domain.

This issue also appears on line 163 of the same file.

Copilot uses AI. Check for mistakes.
@Mossaka @claude
fix(domains): make GetDomainEcosystem deterministic with priority order
c5870fc 
Go map iteration is non-deterministic, so GetDomainEcosystem could return
different ecosystems on each call for domains that appear in multiple
ecosystems (e.g. cdn.jsdelivr.net in both "node" and "node-cdns").

Fix by introducing an ecosystemPriority slice that defines the order in
which ecosystems are checked. More specific sub-ecosystems are listed
before general ones:
- "node-cdns" before "node" (cdn.jsdelivr.net → node-cdns)
- "rust" before "python" (crates.io is a native Rust domain)

Any ecosystem not in the priority list is checked last in sorted order
for forward-compatibility.

Also add cdn.jsdelivr.net back to the "node" ecosystem in
ecosystem_domains.json — it was previously removed to avoid the
non-determinism, but is now safe to include since GetDomainEcosystem
consistently prefers "node-cdns" over "node".

Add TestGetDomainEcosystem_Determinism to verify stability across
repeated calls for multi-ecosystem domains.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Mossaka
Copy link
Copy Markdown
Collaborator Author

Mossaka commented Feb 19, 2026

Addressed the non-determinism feedback in the latest commit.

Changes made:

  1. pkg/workflow/domains.go — Introduced an ecosystemPriority slice that defines the iteration order for GetDomainEcosystem. More specific sub-ecosystems are listed before general ones:

    • node-cdns before nodecdn.jsdelivr.net always resolves to node-cdns
    • rust before pythoncrates.io/index.crates.io/static.crates.io always resolve to rust (their native ecosystem)

    Any ecosystem not in the priority list falls back to sorted order for forward-compatibility with new entries.

  2. pkg/workflow/data/ecosystem_domains.json — Added cdn.jsdelivr.net back to the node ecosystem. It was previously removed to avoid the non-determinism; now that GetDomainEcosystem always prefers node-cdns, it's safe to include in both.

  3. pkg/workflow/domains_test.go — Added TestGetDomainEcosystem_Determinism which calls GetDomainEcosystem 20 times for each multi-ecosystem domain and asserts the result is stable.

All tests pass (go test ./pkg/workflow/ -run "TestEcosystemDomain|TestGetDomainEcosystem" -v -count=1).

@github-actions github-actions Bot mentioned this pull request Feb 19, 2026
Closed
@Mossaka @claude
fix: update golden files and fix formatting after ecosystem domain ad…
6243d85 
…ditions

- Regenerate WASM golden files for claude-with-network, smoke-copilot, and smoke-test-tools
  to reflect new firewall domain lists from ecosystem domain changes
- Fix go fmt formatting in domains.go and domains_test.go (alignment in comments)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Mossaka Mossaka merged commit 7503e74 into main Feb 19, 2026
56 checks passed
@Mossaka Mossaka deleted the feat/add-missing-ecosystem-domains branch February 19, 2026 22:05
@github-actions github-actions Bot mentioned this pull request Apr 20, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mossaka