[actions] allow DockerHub's CloudFront CDN so image pulls aren't blocked

harden-runner runs with `egress-policy: block`, and the allow-list only included `production.cloudflare.docker.com`. DockerHub serves image blobs from either its Cloudflare or its CloudFront CDN; when a pull was routed to CloudFront (`production.cloudfront.docker.com`) the connection was dropped, causing `error pulling image configuration: ... connect: connection refused` and exit 125 in the xenial, installation_node, and fast (httpbin) suites. Allow both CDNs.
2026-06-05 22:07:09 +08:00 · 2026-06-03 13:29:38 -07:00
parent dd13968c1e
commit c4d9239cbb
3 changed files with 3 additions and 0 deletions
--- a/.github/workflows/tests-fast.yml
+++ b/.github/workflows/tests-fast.yml
@@ -45,6 +45,7 @@ jobs:
            registry-1.docker.io:443
            auth.docker.io:443
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
      - uses: actions/checkout@v6
        with:
          submodules: true
--- a/.github/workflows/tests-installation-node.yml
+++ b/.github/workflows/tests-installation-node.yml
@@ -41,6 +41,7 @@ jobs:
            archive.ubuntu.com:80
            security.ubuntu.com:80
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            registry-1.docker.io:443
            auth.docker.io:443
      - uses: actions/checkout@v6
--- a/.github/workflows/tests-xenial.yml
+++ b/.github/workflows/tests-xenial.yml
@@ -38,6 +38,7 @@ jobs:
            archive.ubuntu.com:80
            security.ubuntu.com:80
            production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
            registry-1.docker.io:443
            auth.docker.io:443
      - uses: actions/checkout@v6