[actions] allow DockerHub's CloudFront CDN so image pulls aren't blocked

harden-runner runs with `egress-policy: block`, and the allow-list only included
`production.cloudflare.docker.com`. DockerHub serves image blobs from either its
Cloudflare or its CloudFront CDN; when a pull was routed to CloudFront
(`production.cloudfront.docker.com`) the connection was dropped, causing
`error pulling image configuration: ... connect: connection refused` and exit
125 in the xenial, installation_node, and fast (httpbin) suites. Allow both CDNs.

.github/workflows/tests-fast.yml

@@ -45,6 +45,7 @@ jobs:
             registry-1.docker.io:443
             auth.docker.io:443
             production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
       - uses: actions/checkout@v6
         with:
           submodules: true

.github/workflows/tests-installation-node.yml

@@ -41,6 +41,7 @@ jobs:
             archive.ubuntu.com:80
             security.ubuntu.com:80
             production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
             registry-1.docker.io:443
             auth.docker.io:443
       - uses: actions/checkout@v6

.github/workflows/tests-xenial.yml

@@ -38,6 +38,7 @@ jobs:
             archive.ubuntu.com:80
             security.ubuntu.com:80
             production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
             registry-1.docker.io:443
             auth.docker.io:443
       - uses: actions/checkout@v6