Expand Java ecosystem allowlist for firewall-enabled workflows (#12400)

* Initial plan

* chore: plan domain additions for java profile

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* feat: expand java ecosystem allowed domains

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Co-authored-by: Jiaxiao Zhou <duibao55328@gmail.com>

Author: Copilot

pkg/workflow/data/ecosystem_domains.json

@@ -86,7 +86,12 @@
     "repo.grails.org",
     "download.eclipse.org",
     "download.oracle.com",
-    "jcenter.bintray.com"
+    "jcenter.bintray.com",
+    "dlcdn.apache.org",
+    "archive.apache.org",
+    "download.java.net",
+    "api.foojay.io",
+    "cdn.azul.com"
   ],
   "linux-distros": [
     "deb.debian.org",

pkg/workflow/ecosystem_domains_test.go

@@ -171,6 +171,37 @@ func TestEcosystemDomainExpansion(t *testing.T) {
 		}
 	})
 
+	t.Run("java ecosystem includes Java package and tooling domains", func(t *testing.T) {
+		permissions := &NetworkPermissions{
+			Allowed: []string{"java"},
+		}
+		domains := GetAllowedDomains(permissions)
+
+		expectedDomains := []string{
+			"repo.maven.apache.org",
+			"services.gradle.org",
+			"download.oracle.com",
+			"dlcdn.apache.org",
+			"archive.apache.org",
+			"download.java.net",
+			"api.foojay.io",
+			"cdn.azul.com",
+		}
+
+		for _, expectedDomain := range expectedDomains {
+			found := false
+			for _, domain := range domains {
+				if domain == expectedDomain {
+					found = true
+					break
+				}
+			}
+			if !found {
+				t.Errorf("Expected domain '%s' to be included in java ecosystem, but it was not found", expectedDomain)
+			}
+		}
+	})
+
 	t.Run("node ecosystem includes Node.js package domains", func(t *testing.T) {
 		permissions := &NetworkPermissions{
 			Allowed: []string{"node"},