Update golang.org/x/sync to v0.18.0 and add Go/Node/Python to default allowed domains

go.mod

@@ -52,7 +52,7 @@ require (
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect
 	golang.org/x/term v0.36.0 // indirect
 	golang.org/x/text v0.30.0 // indirect

go.sum

@@ -127,8 +127,8 @@ go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
 go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

pkg/workflow/data/ecosystem_domains.json

@@ -33,7 +33,14 @@
     "api.snapcraft.io",
     "packagecloud.io",
     "packages.cloud.google.com",
-    "packages.microsoft.com"
+    "packages.microsoft.com",
+    "golang.org",
+    "proxy.golang.org",
+    "sum.golang.org",
+    "npmjs.org",
+    "registry.npmjs.org",
+    "pypi.org",
+    "files.pythonhosted.org"
   ],
   "containers": [
     "ghcr.io",

pkg/workflow/domains.go

@@ -54,7 +54,7 @@ func getEcosystemDomains(category string) []string {
 // Returns empty slice if network permissions configured but no domains allowed (deny all)
 // Returns domain list if network permissions configured with allowed domains
 // Supports ecosystem identifiers:
-//   - "defaults": basic infrastructure (certs, JSON schema, Ubuntu, common package mirrors, Microsoft sources)
+//   - "defaults": basic infrastructure (certs, JSON schema, Ubuntu, common package mirrors, Microsoft sources, Go, Node, Python)
 //   - "containers": container registries (Docker, GitHub Container Registry, etc.)
 //   - "dotnet": .NET and NuGet ecosystem
 //   - "dart": Dart/Flutter ecosystem

pkg/workflow/ecosystem_domains_test.go

@@ -18,6 +18,13 @@ func TestEcosystemDomainExpansion(t *testing.T) {
 			"archive.ubuntu.com",     // Ubuntu
 			"packagecloud.io",        // Common Package Mirrors
 			"packages.microsoft.com", // Microsoft Sources
+			"golang.org",             // Go ecosystem
+			"proxy.golang.org",       // Go proxy
+			"sum.golang.org",         // Go checksum database
+			"npmjs.org",              // Node ecosystem
+			"registry.npmjs.org",     // NPM registry
+			"pypi.org",               // Python ecosystem
+			"files.pythonhosted.org", // Python files
 		}
 
 		for _, expectedDomain := range expectedDomains {
@@ -38,9 +45,6 @@ func TestEcosystemDomainExpansion(t *testing.T) {
 			"ghcr.io",    // Container registries
 			"nuget.org",  // .NET
 			"github.com", // GitHub (not in defaults anymore)
-			"golang.org", // Go
-			"npmjs.org",  // Node
-			"pypi.org",   // Python
 		}
 
 		for _, excludedDomain := range excludedDomains {