Network Egress Filtering for GitHub Actions Runners
Supply chain attacks targeting CI pipelines have made headlines recently, and a common thread in many of them is unfiltered outbound network access: a compromised dependency or action exfiltrates secrets simply by calling home. Namespace has supported configuring egress domain allow-lists via the API for a while, and we're now making this accessible directly in the runner profile editor.
When egress filtering is enabled on a profile, runners will only reach the domains you explicitly permit. The minimum set required to communicate with GitHub is included by default, so you won't be starting from a blank slate. Any traffic outside your allow-list is blocked at the network level, limiting the blast radius if something in your workflow is compromised.
This feature is in early access and requires workspace enrollment. Reach out to support@namespace.so to get started, and we're actively iterating on the experience.
Devbox Updates
Devboxes are managed cloud development environments built for both engineers and AI coding agents. You define your environment once with a standard Dockerfile, check it into source control, and everyone on your team works from the same reproducible setup. Devboxes start on-demand, pause automatically when idle so you're not paying for time you're not using, and resume in seconds with your files and configuration exactly as you left them. You can connect via SSH, browser VS Code, or your IDE of choice, including Cursor, JetBrains, and Zed.
Devboxes can now join your Tailscale network, making it straightforward to securely connect your cloud development environment to private infrastructure without exposing it publicly. Namespace uses workload identity federation to authenticate each Devbox with a short-lived OIDC token issued at runtime — no long-lived Tailscale auth keys or client secrets need to be stored in Namespace. See the Tailscale integration docs to get started.
We've also shipped a couple of other Devbox improvements:
Windows support for the CLI and IDE. The Devbox CLI and IDE integrations now support Windows, letting Windows users create and connect to Linux-based Devboxes without leaving their local setup. See the Devbox docs for setup instructions.
Smoother authentication in VS Code and Cursor. The Devbox extension for VS Code and Cursor now handles authentication directly, redirecting you to the web browser when needed. No more manual token wrangling required.
In-App Changelog
You can now find the changelog without leaving Namespace. Look for the ship icon at the bottom of the nav bar. It surfaces items from namespace.so/changelog right inside the app, so you can stay up to date on what's shipped without switching context.
Summary
This release adds meaningful security controls to GitHub Actions with network egress filtering, expands Devbox to Windows users, streamlines authentication in the VS Code and Cursor extensions, and brings the changelog directly into the app. Check out the full changelog for the complete list of changes.