From c4d9239cbbb6ad82103d0d63b483482c2823c63d Mon Sep 17 00:00:00 2001
From: Jordan Harband <ljharb@gmail.com>
Date: Wed, 3 Jun 2026 13:29:38 -0700
Subject: [PATCH] [actions] allow DockerHub's CloudFront CDN so image pulls
 aren't blocked

harden-runner runs with `egress-policy: block`, and the allow-list only included
`production.cloudflare.docker.com`. DockerHub serves image blobs from either its
Cloudflare or its CloudFront CDN; when a pull was routed to CloudFront
(`production.cloudfront.docker.com`) the connection was dropped, causing
`error pulling image configuration: ... connect: connection refused` and exit
125 in the xenial, installation_node, and fast (httpbin) suites. Allow both CDNs.
---
 .github/workflows/tests-fast.yml              | 1 +
 .github/workflows/tests-installation-node.yml | 1 +
 .github/workflows/tests-xenial.yml            | 1 +
 3 files changed, 3 insertions(+)

diff --git a/.github/workflows/tests-fast.yml b/.github/workflows/tests-fast.yml
index af4ee218..8b0eed73 100644
--- a/.github/workflows/tests-fast.yml
+++ b/.github/workflows/tests-fast.yml
@@ -45,6 +45,7 @@ jobs:
             registry-1.docker.io:443
             auth.docker.io:443
             production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
       - uses: actions/checkout@v6
         with:
           submodules: true
diff --git a/.github/workflows/tests-installation-node.yml b/.github/workflows/tests-installation-node.yml
index 684c1421..c1d44874 100644
--- a/.github/workflows/tests-installation-node.yml
+++ b/.github/workflows/tests-installation-node.yml
@@ -41,6 +41,7 @@ jobs:
             archive.ubuntu.com:80
             security.ubuntu.com:80
             production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
             registry-1.docker.io:443
             auth.docker.io:443
       - uses: actions/checkout@v6
diff --git a/.github/workflows/tests-xenial.yml b/.github/workflows/tests-xenial.yml
index b17e8df0..ed12b091 100644
--- a/.github/workflows/tests-xenial.yml
+++ b/.github/workflows/tests-xenial.yml
@@ -38,6 +38,7 @@ jobs:
             archive.ubuntu.com:80
             security.ubuntu.com:80
             production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
             registry-1.docker.io:443
             auth.docker.io:443
       - uses: actions/checkout@v6