Add 172.30.0.1 to CodexDefaultDomains for AWF gateway access #13768
Conversation
The convert_gateway_config_codex.sh script resolves host.docker.internal to 172.30.0.1 for Rust DNS compatibility, but this IP was not in the allowed domains list for AWF firewall, causing all MCP requests to be blocked with 403 Forbidden errors. This fix adds 172.30.0.1 to CodexDefaultDomains so Codex can access the MCP gateway through AWF's network firewall. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰 |
There was a problem hiding this comment.
Pull request overview
Updates Codex network allowlists to permit MCP gateway access when host.docker.internal resolves to the AWF gateway IP (172.30.0.1), preventing AWF firewall 403s in Codex workflows.
Changes:
- Add
172.30.0.1toCodexDefaultDomains. - Update unit tests to include/sort the new default domain.
- Update the Smoke Codex locked workflow’s allowed domain list to include
172.30.0.1.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
pkg/workflow/domains.go |
Adds 172.30.0.1 to Codex default domain allowlist used for firewall configuration. |
pkg/workflow/domains_test.go |
Updates Codex domain expectations and allowed-domain string assertions to include 172.30.0.1. |
.github/workflows/smoke-codex.lock.yml |
Includes 172.30.0.1 in AWF --allow-domains and GH_AW_ALLOWED_DOMAINS; also changes the scheduled cron minute. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| schedule: | ||
| - cron: "16 */12 * * *" | ||
| - cron: "31 */12 * * *" | ||
| workflow_dispatch: null |
There was a problem hiding this comment.
The scheduled cron minute changed from "16 */12 * * *" to "31 */12 * * *" but the PR description focuses on the domain allowlist update. If this timing shift wasn’t intentional, consider reverting it to avoid an operational change/noise in the generated lockfile; if it is intentional, please call it out in the PR description (or ensure it’s coming from the source workflow manifest and not an accidental manual edit of the generated .lock.yml).
Agent Container Tool Check
Result: 10/12 tools fully available, 1 partial (java), 1 unavailable (dotnet) Notes:
|
|
✅ Smoke Test PASS (Run 21682347574) PRs Tested:
Results:
Overall: PASS cc: @Mossaka
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
💀 Blimey! Changeset Generator failed and walked the plank! No treasure today, matey! ☠️ |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
Agent Container Tool Check
Result: 11/12 tools available ❌ Status: FAIL - .NET runtime (dotnet) is not available in the container environment. All essential development tools (bash, git, node, python, go, java) are present. Only dotnet is missing.
|
Smoke Test Results ✅PRs reviewed: #13756, #13758 cc @Mossaka
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
1 participant
Summary
172.30.0.1(AWF gateway IP) toCodexDefaultDomainsindomains.goRoot Cause
The
convert_gateway_config_codex.shscript resolveshost.docker.internalto172.30.0.1for Rust DNS compatibility in Codex CLI. However, this IP was not in the allowed domains list for AWF firewall, causing all MCP requests to be blocked with 403 Forbidden errors.Evidence from firewall logs:
Test plan
go test ./pkg/workflow/... -run "Codex|Domain")🤖 Generated with Claude Code