[WIP] Fix firewall issues blocking api.github.com and github.com

[Copilot]

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

---

This section details on the original issue you should resolve

<issue_title>[aw-failures] Daily Observability Report: api.github.com + github.com blocked by firewall (secondary blocker after Codex 401 fix)</issue_title>
<issue_description>### Problem

The Daily Observability Report for AWF Firewall and MCP Gateway workflow has a secondary failure mode that will persist even after #27731 (lock file recompile) is resolved: api.github.com:443 and github.com:443 are blocked by the firewall, but these domains are required for the workflow to read GitHub data (workflow runs, firewall logs, MCP gateway activity).

Audit of run §24808525298 confirms:

Firewall blocks (4 total):
  chatgpt.com:443      — 2 blocked  (non-fatal plugin cache warmup)
  api.github.com:443   — 1 blocked  ← PRIMARY GAP
  github.com:443       — 1 blocked  ← PRIMARY GAP

The chatgpt.com blocks are non-fatal startup noise. The api.github.com and github.com blocks are direct blockers for any GitHub data access the observability report requires.

Current Status

• The immediate failure cause is the Codex 401 auth loop (tracked in [aw-failures] Recompile lock files to fix Codex 401 Unauthorized failures (blocks AI Moderator + Daily Obs Report) #27731).
• The secondary failure cause (this issue) will surface only after [aw-failures] Recompile lock files to fix Codex 401 Unauthorized failures (blocks AI Moderator + Daily Obs Report) #27731 is resolved.
• Run §24808525298 is the evidence run.

Root Cause

The workflow's network.allowed list (in its .yml or .lock.yml) does not include api.github.com:443 or github.com:443. Since this is an observability report that reads GitHub Actions data, these domains are necessary.

Proposed Remediation

Add the missing domains to the workflow's network allow-list:

network:
  allowed:
    - api.github.com:443
    - github.com:443

Then recompile the lock file per #27724 instructions.

Success Criteria

• api.github.com:443 and github.com:443 added to Daily Observability Report's network allow-list
• Lock file recompiled and committed
• Next scheduled run of Daily Observability Report completes without firewall blocks on these domains
• Report content includes actual GitHub workflow/firewall data

Related Issues

• Parent tracking group: [aw-failures] [aw] Failure Investigator (6h) - Issue Group #27730
• Codex 401 root cause (fix first): [aw-failures] Recompile lock files to fix Codex 401 Unauthorized failures (blocks AI Moderator + Daily Obs Report) #27731
• Individual failure issue: [aw] Daily Observability Report for AWF Firewall and MCP Gateway failed #27930
• Lock file sync tracking: [aw] agentic workflows out of sync #27724

References:

• §24808525298 — failed run with firewall evidence
• §24810445768 — AI Moderator failed run (same Codex 401, no secondary firewall issue)

Generated by [aw] Failure Investigator (6h) · ● 305.4K · ◷

• expires on Apr 30, 2026, 1:24 AM UTC

Comments on the Issue (you are @copilot in this section)