From 371b03be172a720474060bfb42084c497d9f72e4 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 15 Apr 2026 13:07:57 +0000
Subject: [PATCH 1/2] Initial plan


From 5f4782ad33c1f380fcac86c8aee43612a00ccefd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 15 Apr 2026 13:24:45 +0000
Subject: [PATCH 2/2] feat: add lean ecosystem entry to ecosystem_domains.json
 (#issue)

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/3f4217e8-a220-4ba6-8f48-992e6f6b95a2

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 docs/src/content/docs/reference/network.md | 2 +-
 pkg/workflow/data/ecosystem_domains.json   | 1 +
 pkg/workflow/domains.go                    | 2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/src/content/docs/reference/network.md b/docs/src/content/docs/reference/network.md
index 91c9b0de8ce..3623de112a1 100644
--- a/docs/src/content/docs/reference/network.md
+++ b/docs/src/content/docs/reference/network.md
@@ -100,7 +100,7 @@ Mix ecosystem identifiers with specific domains for fine-grained control:
 | `default-safe-outputs` | Compound: `defaults` + `dev-tools` + `github` + `local` — recommended baseline for `safe-outputs.allowed-domains` |
 | `containers` | Docker Hub, GitHub Container Registry, Quay |
 | `linux-distros` | Debian, Alpine, and other Linux package repositories |
-| `dotnet`, `dart`, `go`, `haskell`, `java`, `julia`, `node`, `perl`, `php`, `python`, `ruby`, `rust`, `swift` | Language-specific package managers and registries |
+| `dotnet`, `dart`, `go`, `haskell`, `java`, `julia`, `lean`, `node`, `perl`, `php`, `python`, `ruby`, `rust`, `swift` | Language-specific package managers and registries |
 | `deno` | Deno runtime (`deno.land`, `jsr.io`, `*.jsr.io`, `googleapis.deno.dev`, `fresh.deno.dev`) |
 | `terraform` | HashiCorp and Terraform domains |
 | `playwright` | Playwright testing framework domains (see [Playwright Reference](/gh-aw/reference/playwright/)) |
diff --git a/pkg/workflow/data/ecosystem_domains.json b/pkg/workflow/data/ecosystem_domains.json
index d7aad0d1458..30e1b020f4c 100644
--- a/pkg/workflow/data/ecosystem_domains.json
+++ b/pkg/workflow/data/ecosystem_domains.json
@@ -160,6 +160,7 @@
   ],
   "julia": ["pkg.julialang.org", "*.pkg.julialang.org", "julialang.org", "julialang-s3.julialang.org", "storage.julialang.net"],
   "kotlin": ["download.jetbrains.com", "ge.jetbrains.com", "packages.jetbrains.team", "kotlin.bintray.com", "maven.pkg.jetbrains.space"],
+  "lean": ["elan.lean-lang.org", "lean-lang.org", "leanprover.github.io", "reservoir.lean-lang.org", "static.lean-lang.org"],
   "linux-distros": [
     "deb.debian.org",
     "security.debian.org",
diff --git a/pkg/workflow/domains.go b/pkg/workflow/domains.go
index 1962cb60e9b..5d49e6dc328 100644
--- a/pkg/workflow/domains.go
+++ b/pkg/workflow/domains.go
@@ -276,6 +276,7 @@ func getDomainsFromRuntimes(runtimes map[string]any) []string {
 //   - "haskell": Haskell ecosystem
 //   - "java": Java/Maven/Gradle
 //   - "kotlin": Kotlin/JetBrains
+//   - "lean": Lean 4/Lake/Reservoir
 //   - "linux-distros": Linux distribution package repositories
 //   - "node": Node.js/NPM/Yarn
 //   - "perl": Perl/CPAN
@@ -355,6 +356,7 @@ var ecosystemPriority = []string{
 	"java", // before "chrome" — maven.google.com and dl.google.com are Java domains, not chrome domains
 	"chrome",
 	"kotlin",
+	"lean",
 	"linux-distros",
 	"local",
 	"node",