diff --git a/docs/astro.config.mjs b/docs/astro.config.mjs index 23ec85a7921..fd093eb9b07 100644 --- a/docs/astro.config.mjs +++ b/docs/astro.config.mjs @@ -333,6 +333,7 @@ export default defineConfig({ { label: 'Safe Outputs (Staged Mode)', link: '/reference/staged-mode/' }, { label: 'Sandbox', link: '/reference/sandbox/' }, { label: 'Schedule Syntax', link: '/reference/schedule-syntax/' }, + { label: 'Supported Languages', link: '/reference/supported-languages/' }, { label: 'Templating', link: '/reference/templating/' }, { label: 'Threat Detection', link: '/reference/threat-detection/' }, { label: 'Token Reference', link: '/reference/tokens/' }, diff --git a/docs/src/content/docs/guides/network-configuration.md b/docs/src/content/docs/guides/network-configuration.md index 7427dc8186a..b78ecb5c2b3 100644 --- a/docs/src/content/docs/guides/network-configuration.md +++ b/docs/src/content/docs/guides/network-configuration.md @@ -193,6 +193,7 @@ View complete ecosystem domain lists in the [ecosystem domains source](https://g ## Related Documentation - [Network Permissions Reference](/gh-aw/reference/network/) - Complete network configuration reference +- [Supported Languages & Ecosystems](/gh-aw/reference/supported-languages/) - Language-first overview of ecosystem identifiers - [Playwright Reference](/gh-aw/reference/playwright/) - Browser automation and network requirements - [Security Guide](/gh-aw/introduction/architecture/) - Security best practices - [Troubleshooting](/gh-aw/troubleshooting/common-issues/) - Common issues and solutions diff --git a/docs/src/content/docs/reference/network.md b/docs/src/content/docs/reference/network.md index 0a179afd857..1b835730579 100644 --- a/docs/src/content/docs/reference/network.md +++ b/docs/src/content/docs/reference/network.md @@ -106,7 +106,7 @@ Mix ecosystem identifiers with specific domains for fine-grained control: | `playwright` | Playwright testing framework domains (see [Playwright Reference](/gh-aw/reference/playwright/)) | | `chrome` | Headless Chrome/Puppeteer browser testing (`*.google.com`, `*.googleapis.com`, `*.gvt1.com`) | -Common identifiers: `python` (PyPI/pip), `node` (npm/yarn/pnpm), `containers` (Docker Hub/GHCR), `go` (proxy.golang.org). See the [Network Configuration Guide](/gh-aw/guides/network-configuration/) for complete domain lists. +Common identifiers: `python` (PyPI/pip), `node` (npm/yarn/pnpm), `containers` (Docker Hub/GHCR), `go` (proxy.golang.org). See the [Network Configuration Guide](/gh-aw/guides/network-configuration/) for complete domain lists, or the [Supported Languages](/gh-aw/reference/supported-languages/) page for a language-first overview. ## Strict Mode Validation diff --git a/docs/src/content/docs/reference/supported-languages.md b/docs/src/content/docs/reference/supported-languages.md new file mode 100644 index 00000000000..c5c7287935a --- /dev/null +++ b/docs/src/content/docs/reference/supported-languages.md @@ -0,0 +1,88 @@ +--- +title: Supported Languages & Ecosystems +description: Language ecosystem identifiers for configuring network access in agentic workflows +sidebar: + order: 1350 +--- + +Agentic workflows run inside an Ubuntu/Linux sandbox. Each programming language has a corresponding **ecosystem identifier** that grants the workflow access to that language's package registry and toolchain domains. Set these identifiers in the [`network.allowed`](/gh-aw/reference/network/) field of your workflow frontmatter. + +## Language Ecosystem Identifiers + +| Language | Ecosystem Identifier | Package Manager | +|----------|---------------------|-----------------| +| Python | `python` | pip, conda | +| JavaScript / TypeScript | `node` | npm, yarn, pnpm | +| Java | `java` | Maven, Gradle | +| Go | `go` | Go modules | +| Rust | `rust` | Cargo | +| C# / .NET | `dotnet` | NuGet | +| Ruby | `ruby` | Bundler, RubyGems | +| PHP | `php` | Composer | +| Swift | `swift` | SwiftPM (Linux only) | +| Kotlin | `kotlin` + `java` | Gradle | +| Dart | `dart` | pub | +| C / C++ | `defaults` | System toolchain (gcc, cmake) | + +> [!NOTE] +> Swift projects that depend on Apple-only frameworks (UIKit, AppKit, SwiftUI on macOS) are not supported — the sandbox runs Ubuntu Linux. + +## Infrastructure Ecosystems + +These identifiers are not language-specific but pair with any language workflow: + +| Identifier | Use for | +|------------|---------| +| `defaults` | Basic infrastructure: certificates, JSON schema, Ubuntu mirrors. This is the default when `network:` is not specified, and is recommended as the starting baseline for most workflows. | +| `github` | GitHub domains (`github.com`, `raw.githubusercontent.com`, etc.) | +| `containers` | Docker Hub, GitHub Container Registry, Quay, GCR | +| `linux-distros` | Debian, Ubuntu, Alpine package repositories (`apt`, `apk`) | + +## Configuration Examples + +### Single language + +```aw wrap +--- +network: + allowed: + - defaults + - python +--- +``` + +### JVM family (Java + Kotlin) + +```aw wrap +--- +network: + allowed: + - defaults + - java + - kotlin +--- +``` + +### Multi-language + +```aw wrap +--- +network: + allowed: + - defaults + - node + - python + - containers + - github +--- +``` + +## Less Common Languages + +Additional language ecosystems are available for less common languages including Elixir, Haskell, Julia, Perl, OCaml, Deno, and Terraform. See the [Ecosystem Identifiers table](/gh-aw/reference/network/#ecosystem-identifiers) in the Network Permissions reference for the most up-to-date list of supported identifiers. + +## Related Documentation + +- [Network Permissions](/gh-aw/reference/network/) — Network configuration reference and ecosystem identifiers table +- [Network Configuration Guide](/gh-aw/guides/network-configuration/) — Practical patterns and troubleshooting +- [Sandbox](/gh-aw/reference/sandbox/) — Sandbox environment details