From 42ea29caec25da58017603c0d176fe64dd2ab982 Mon Sep 17 00:00:00 2001 From: Jeremy Harrington Date: Fri, 29 May 2026 12:09:08 -0700 Subject: [PATCH] ci: allow production.cloudfront.docker.com in harden-runner egress Docker Hub serves image blobs from a CDN, and sometimes uses CloudFront (production.cloudfront.docker.com) in addition to the Cloudflare endpoint already allowlisted. Docker changed this recently (see Docker Hub release notes, ~a week ago: https://docs.docker.com/docker-hub/release-notes/), which is why crane pulls of Docker Hub images (e.g. chainguard/static in the e2e xcover test) started failing harden-runner egress with: dial tcp: lookup production.cloudfront.docker.com ... i/o timeout Same CloudFront usage was observed in mono CI: https://github.com/chainguard-dev/mono/actions/runs/26589819417/job/78350661305#step:18:25 Add production.cloudfront.docker.com:443 to the egress allowlist in the Test packages (e2e) and release jobs, alongside the existing Cloudflare endpoint. --- .github/workflows/melange-test-pipelines.yaml | 1 + .github/workflows/release.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/melange-test-pipelines.yaml b/.github/workflows/melange-test-pipelines.yaml index 707eb2ab1..8d5408d8f 100644 --- a/.github/workflows/melange-test-pipelines.yaml +++ b/.github/workflows/melange-test-pipelines.yaml @@ -93,6 +93,7 @@ jobs: packages.wolfi.dev:443 ppa.launchpadcontent.net:443 production.cloudflare.docker.com:443 + production.cloudfront.docker.com:443 proxy.golang.org:443 pypi.org:443 raw.githubusercontent.com:443 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c7529e50c..8faf79fcb 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -35,6 +35,7 @@ jobs: index.docker.io:443 objects.githubusercontent.com:443 production.cloudflare.docker.com:443 + production.cloudfront.docker.com:443 proxy.golang.org:443 raw.githubusercontent.com:443 rekor.sigstore.dev:443