Add Copilot setup workflow for vsassets.io firewall allowlist

[Copilot]

This PR adds a GitHub Actions workflow to configure firewall allowlist settings for GitHub Copilot, enabling access to Visual Studio assets URLs needed for NuGet package restore operations.

Problem

GitHub Copilot was unable to access *.vsblob.vsassets.io URLs during dotnet restore operations, resulting in firewall blocking errors like:

Resource temporarily unavailable (lylvsblobprodcus31.vsblob.vsassets.io:443)
Failed to download package 'Microsoft.DotNet.Arcade.Sdk.10.0.0-beta.25316.103'

Solution

Created .github/workflows/copilot-setup.yml that sets the COPILOT_AGENT_FIREWALL_ALLOW_LIST_ADDITIONS environment variable to "*.vsblob.vsassets.io", allowing Copilot to access all Visual Studio blob storage subdomains required for package restoration.

Key Features

• Minimal Implementation: Only 22 lines added, following the repository's minimal change principle
• Complete Coverage: The wildcard pattern covers all blocked URLs mentioned in the issue
• Manual Trigger: Uses workflow_dispatch for on-demand execution when needed
• Clear Documentation: Includes explanatory comments for maintainability

Blocked URLs This Resolves

The workflow enables access to vsblob.vsassets.io subdomains, including:

• 7tjvsblobprodcus341.vsblob.vsassets.io
• c78vsblobprodcus322.vsblob.vsassets.io
• d0svsblobprodcus381.vsblob.vsassets.io
• jd4vsblobprodcus366.vsblob.vsassets.io
• l49vsblobprodcus358.vsblob.vsassets.io
• lylvsblobprodcus31.vsblob.vsassets.io
• uy6vsblobprodcus34.vsblob.vsassets.io
• vb4vsblobprodcus33.vsblob.vsassets.io

Fixes #49469.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• lylvsblobprodcus31.vsblob.vsassets.io
  • Triggering command: /home/REDACTED/work/sdk/sdk/.dotnet/dotnet msbuild /m /nologo /clp:Summary /v:minimal /nr:true /warnaserror /p:TreatWarningsAsErrors=true /p:ContinuousIntegrationBuild=false /home/REDACTED/work/sdk/sdk/artifacts/toolset/restore.proj /t:__WriteToolsetLocation /clp:ErrorsOnly;NoSummary /p:__ToolsetLocationOutputFile=/home/REDACTED/work/sdk/sdk/artifacts/toolset/10.0.0-beta.25316.103.txt (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[baronfel]

Failure is the containers test - known issue. @marcpopMSFT can you force-merge when you have time?

Also I don't have write permissions on this PR for some reason. EDIT: ah, this is because I collaborated w/copilot:

Approvals from users that collaborated with Copilot on changes will not satisfy review requirements.

[KalleOlaviNiemitalo]

Does this actually work?

• https://docs.github.com/en/copilot/customizing-copilot/customizing-or-disabling-the-firewall-for-copilot-coding-agent talks about the "COPILOT_AGENT_FIREWALL_ALLOW_LIST_ADDITIONS GitHub Actions variable". This PR seems to be setting the COPILOT_AGENT_FIREWALL_ALLOW_LIST_ADDITIONS environment variable instead. From https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#creating-configuration-variables-for-a-repository I get the impression that those are not the same thing.

• The asterisk syntax "*.vsblob.vsassets.io" is not documented at https://docs.github.com/en/copilot/customizing-copilot/customizing-or-disabling-the-firewall-for-copilot-coding-agent, which instead says: "Domains (for example, packages.contoso.corp), in which case traffic will be allowed to that domain and any subdomains."

[baronfel]

There are a few other examples of this on github already, but non of them use the * syntax, so I think you are 100% right on that.

[KalleOlaviNiemitalo]

https://github.com/orgs/community/discussions/163374 seems to say that setting COPILOT_AGENT_FIREWALL_ALLOW_LIST_ADDITIONS in env does not affect the firewall. Perhaps the repositories that have such an environment variable in their workflows have already been configured in the proper way and the env has just been left over.

Oh well, you'll see whether it works or not.

[baronfel]

@KalleOlaviNiemitalo so far it has been working as expected - Copilot has been able to restore and build the project. Futher PRs have added a few more changes to make sure that when Copilot is working on an issue it:

• starts from a green build
• is using the repo-local dotnet instead of any dotnet from the ambient environment