github · pelikhan · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
diff --git a/docs/src/content/docs/reference/network.md b/docs/src/content/docs/reference/network.md
@@ -101,8 +101,10 @@ Mix ecosystem identifiers with specific domains for fine-grained control:
 | `containers` | Docker Hub, GitHub Container Registry, Quay |
 | `linux-distros` | Debian, Alpine, and other Linux package repositories |
 | `dotnet`, `dart`, `go`, `haskell`, `java`, `julia`, `node`, `perl`, `php`, `python`, `ruby`, `rust`, `swift` | Language-specific package managers and registries |
+| `deno` | Deno runtime (`deno.land`, `jsr.io`, `*.jsr.io`, `googleapis.deno.dev`, `fresh.deno.dev`) |
 | `terraform` | HashiCorp and Terraform domains |
 | `playwright` | Playwright testing framework domains (see [Playwright Reference](/gh-aw/reference/playwright/)) |
+| `chrome` | Headless Chrome/Puppeteer browser testing (`*.google.com`, `*.googleapis.com`, `*.gvt1.com`) |
 
 Common identifiers: `python` (PyPI/pip), `node` (npm/yarn/pnpm), `containers` (Docker Hub/GHCR), `go` (proxy.golang.org). See the [Network Configuration Guide](/gh-aw/guides/network-configuration/) for complete domain lists.
 

diff --git a/pkg/workflow/data/ecosystem_domains.json b/pkg/workflow/data/ecosystem_domains.json
@@ -1,5 +1,6 @@
 {
-  "bazel": ["releases.bazel.build", "mirror.bazel.build", "bcr.bazel.build", "blog.bazel.build", "pypi.org", "files.pythonhosted.org"],
+  "bazel": ["releases.bazel.build", "mirror.bazel.build", "bcr.bazel.build", "blog.bazel.build"],
+  "chrome": ["*.google.com", "*.googleapis.com", "*.gvt1.com"],
   "clojure": ["repo.clojars.org", "clojars.org"],
   "containers": ["ghcr.io", "registry.hub.docker.com", "*.docker.io", "*.docker.com", "production.cloudflare.docker.com", "dl.k8s.io", "pkgs.k8s.io", "quay.io", "mcr.microsoft.com", "gcr.io", "auth.docker.io"],
   "dart": ["pub.dev", "pub.dartlang.org", "storage.googleapis.com"],
@@ -40,6 +41,7 @@
     "packages.microsoft.com",
     "www.googleapis.com"
   ],
+  "deno": ["deno.land", "jsr.io", "*.jsr.io", "googleapis.deno.dev", "fresh.deno.dev"],
   "dev-tools": [
     "app.renovatebot.com",
     "appveyor.com",
@@ -62,7 +64,6 @@
     "sonarqube.com",
     "travis-ci.com"
   ],
-  "local": ["127.0.0.1", "::1", "localhost"],
   "dotnet": [
     "nuget.org",
     "dist.nuget.org",
@@ -176,6 +177,7 @@
     "download.opensuse.org",
     "cdn.redhat.com"
   ],
+  "local": ["127.0.0.1", "::1", "localhost"],
   "lua": ["luarocks.org", "www.luarocks.org"],
   "node": [
     "npmjs.org",

diff --git a/pkg/workflow/domains.go b/pkg/workflow/domains.go
@@ -263,9 +263,11 @@ func getDomainsFromRuntimes(runtimes map[string]any) []string {
 //
 // # Supported ecosystem identifiers:
 //   - "defaults": basic infrastructure (certs, JSON schema, Ubuntu, package mirrors)
+//   - "chrome": headless Chrome/Puppeteer browser testing (*.google.com, *.googleapis.com, *.gvt1.com)
 //   - "clojure": Clojure/Clojars
 //   - "containers": container registries (Docker, GHCR, etc.)
 //   - "dart": Dart/Flutter ecosystem
+//   - "deno": Deno runtime (deno.land, *.jsr.io, googleapis.deno.dev, fresh.deno.dev)
 //   - "dotnet": .NET and NuGet ecosystem
 //   - "elixir": Elixir/Hex
 //   - "github": GitHub domains (*.githubusercontent.com, github.githubassets.com, etc.)
@@ -342,14 +344,16 @@ var ecosystemPriority = []string{
 	"dart",
 	"defaults",
 	"dev-tools",
+	"deno", // before "node" — deno-specific domains take precedence over the broader node set
 	"dotnet",
 	"elixir",
-	"fonts",
+	"fonts", // before "chrome" — fonts.googleapis.com is a fonts domain, not a chrome domain
 	"github",
 	"github-actions",
 	"go",
 	"haskell",
-	"java",
+	"java", // before "chrome" — maven.google.com and dl.google.com are Java domains, not chrome domains
+	"chrome",
 	"kotlin",
 	"linux-distros",
 	"local",

diff --git a/pkg/workflow/domains_test.go b/pkg/workflow/domains_test.go
@@ -43,7 +43,7 @@ func TestGetDomainEcosystem(t *testing.T) {
 			expected: "containers",
 		},
 
-		// Fonts ecosystem
+		// Fonts ecosystem (takes priority over chrome for fonts.googleapis.com)
 		{
 			name:     "fonts ecosystem - fonts.googleapis.com",
 			domain:   "fonts.googleapis.com",
@@ -55,6 +55,77 @@ func TestGetDomainEcosystem(t *testing.T) {
 			expected: "fonts",
 		},
 
+		// Chrome ecosystem (headless Chrome/Puppeteer browser testing)
+		{
+			name:     "chrome ecosystem - accounts.google.com",
+			domain:   "accounts.google.com",
+			expected: "chrome",
+		},
+		{
+			name:     "chrome ecosystem - www.google.com",
+			domain:   "www.google.com",
+			expected: "chrome",
+		},
+		{
+			name:     "chrome ecosystem - safebrowsing.googleapis.com",
+			domain:   "safebrowsing.googleapis.com",
+			expected: "chrome",
+		},
+		{
+			name:     "chrome ecosystem - optimizationguide-pa.googleapis.com",
+			domain:   "optimizationguide-pa.googleapis.com",
+			expected: "chrome",
+		},
+		{
+			name:     "chrome ecosystem - update.googleapis.com",
+			domain:   "update.googleapis.com",
+			expected: "chrome",
+		},
+		{
+			name:     "chrome ecosystem - redirector.gvt1.com",
+			domain:   "redirector.gvt1.com",
+			expected: "chrome",
+		},
+		// Java ecosystem takes priority over chrome for its Google domains
+		{
+			name:     "java ecosystem - maven.google.com (not chrome)",
+			domain:   "maven.google.com",
+			expected: "java",
+		},
+		{
+			name:     "java ecosystem - dl.google.com (not chrome)",
+			domain:   "dl.google.com",
+			expected: "java",
+		},
+		// Defaults ecosystem takes priority over chrome for packages.cloud.google.com
+		{
+			name:     "defaults ecosystem - packages.cloud.google.com (not chrome)",
+			domain:   "packages.cloud.google.com",
+			expected: "defaults",
+		},
+
+		// Deno ecosystem
+		{
+			name:     "deno ecosystem - fresh.deno.dev",
+			domain:   "fresh.deno.dev",
+			expected: "deno",
+		},
+		{
+			name:     "deno ecosystem - googleapis.deno.dev",
+			domain:   "googleapis.deno.dev",
+			expected: "deno",
+		},
+		{
+			name:     "deno ecosystem - deno.land",
+			domain:   "deno.land",
+			expected: "deno",
+		},
+		{
+			name:     "deno ecosystem - jsr.io subdomain",
+			domain:   "api.jsr.io",
+			expected: "deno",
+		},
+
 		// Node CDNs ecosystem
 		{
 			name:     "node-cdns ecosystem - cdn.jsdelivr.net",
@@ -433,6 +504,16 @@ func TestGetAllowedDomains_VariousCombinations(t *testing.T) {
 			allowed:        []string{"fonts"},
 			expectContains: []string{"fonts.googleapis.com", "fonts.gstatic.com"},
 		},
+		{
+			name:           "chrome ecosystem",
+			allowed:        []string{"chrome"},
+			expectContains: []string{"*.google.com", "*.googleapis.com", "*.gvt1.com"},
+		},
+		{
+			name:           "deno ecosystem",
+			allowed:        []string{"deno"},
+			expectContains: []string{"deno.land", "jsr.io", "*.jsr.io", "googleapis.deno.dev", "fresh.deno.dev"},
+		},
 		{
 			name:           "node-cdns ecosystem",
 			allowed:        []string{"node-cdns"},