From c7f554436937bbb29d80750885ca6ed60d23452d Mon Sep 17 00:00:00 2001 From: Khaja Omer Date: Tue, 5 May 2026 15:48:32 -0500 Subject: [PATCH 1/4] ci: allow devbox bootstrap egress --- .github/workflows/build-push.yml | 1 + .github/workflows/build_test_ci.yml | 6 ++++++ .github/workflows/e2e-test.yaml | 6 ++++++ .github/workflows/pull_request_ci.yaml | 7 +++++++ 4 files changed, 20 insertions(+) diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index 8acf23451..f03e17ab7 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -24,6 +24,7 @@ jobs: api.github.com:443 github.com:443 auth.docker.io:443 + index.docker.io:443 registry-1.docker.io:443 production.cloudflare.docker.com:443 gcr.io:443 diff --git a/.github/workflows/build_test_ci.yml b/.github/workflows/build_test_ci.yml index 21fcf15fc..3c8a618a5 100644 --- a/.github/workflows/build_test_ci.yml +++ b/.github/workflows/build_test_ci.yml @@ -59,6 +59,12 @@ jobs: sum.golang.org:443 *.githubusercontent.com:443 storage.googleapis.com:443 + get.jetify.com:443 + get.jetpack.io:443 + releases.jetify.com:443 + releases.jetpack.io:443 + artifacts.nixos.org:443 + cache.nixos.org:443 cli.codecov.io:443 api.codecov.io:443 ingest.codecov.io:443 diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml index 7339e53bc..7c8b8cde2 100644 --- a/.github/workflows/e2e-test.yaml +++ b/.github/workflows/e2e-test.yaml @@ -117,6 +117,12 @@ jobs: linode.github.io:443 dl.k8s.io:443 cdn.dl.k8s.io:443 + get.jetify.com:443 + get.jetpack.io:443 + releases.jetify.com:443 + releases.jetpack.io:443 + artifacts.nixos.org:443 + cache.nixos.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/pull_request_ci.yaml b/.github/workflows/pull_request_ci.yaml index f0837b468..a37805b69 100644 --- a/.github/workflows/pull_request_ci.yaml +++ b/.github/workflows/pull_request_ci.yaml @@ -73,6 +73,12 @@ jobs: sum.golang.org:443 *.githubusercontent.com:443 storage.googleapis.com:443 + get.jetify.com:443 + get.jetpack.io:443 + releases.jetify.com:443 + releases.jetpack.io:443 + artifacts.nixos.org:443 + cache.nixos.org:443 dl.k8s.io:443 cdn.dl.k8s.io:443 @@ -111,6 +117,7 @@ jobs: allowed-endpoints: > api.github.com:443 github.com:443 + index.docker.io:443 proxy.golang.org:443 sum.golang.org:443 go.dev:443 From 41f1435e25db355cd000b47ecf6120b9d3b969a0 Mon Sep 17 00:00:00 2001 From: Khaja Omer Date: Tue, 5 May 2026 16:11:13 -0500 Subject: [PATCH 2/4] ci: relax e2e runner hardening --- .github/workflows/e2e-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml index 7c8b8cde2..71a315ea4 100644 --- a/.github/workflows/e2e-test.yaml +++ b/.github/workflows/e2e-test.yaml @@ -86,7 +86,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: block + egress-policy: audit allowed-endpoints: > *:6443 api.linode.com:443 From 44db22252c84b4b011e894f1988273294a4b77ae Mon Sep 17 00:00:00 2001 From: Khaja Omer Date: Wed, 6 May 2026 14:10:11 -0500 Subject: [PATCH 3/4] ci: use ipv4 kind network for e2e --- .github/workflows/e2e-test.yaml | 10 +++++++++- .github/workflows/e2e-upgrade-test.yaml | 8 ++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml index 71a315ea4..04e414b25 100644 --- a/.github/workflows/e2e-test.yaml +++ b/.github/workflows/e2e-test.yaml @@ -86,7 +86,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block allowed-endpoints: > *:6443 api.linode.com:443 @@ -146,6 +146,14 @@ jobs: enable-cache: 'true' refresh-cli: 'false' + - name: Create IPv4-only kind network + run: | + docker network inspect kind >/dev/null 2>&1 || \ + docker network create -d=bridge \ + -o com.docker.network.bridge.enable_ip_masquerade=true \ + -o com.docker.network.driver.mtu=1500 \ + kind + - name: Run E2E Test env: E2E_FLAGS: ${{ inputs.e2e-flags }} diff --git a/.github/workflows/e2e-upgrade-test.yaml b/.github/workflows/e2e-upgrade-test.yaml index e75e3bc53..c4aa7bbff 100644 --- a/.github/workflows/e2e-upgrade-test.yaml +++ b/.github/workflows/e2e-upgrade-test.yaml @@ -93,6 +93,14 @@ jobs: go-version-file: 'go.mod' check-latest: true + - name: Create IPv4-only kind network + run: | + docker network inspect kind >/dev/null 2>&1 || \ + docker network create -d=bridge \ + -o com.docker.network.bridge.enable_ip_masquerade=true \ + -o com.docker.network.driver.mtu=1500 \ + kind + - name: Run Upgrade Test env: LINODE_REGION: us-sea From b490192333a35694034bbd0ad76a8f792eaa6bf5 Mon Sep 17 00:00:00 2001 From: Khaja Omer Date: Wed, 6 May 2026 14:42:55 -0500 Subject: [PATCH 4/4] ci: allow linode object storage egress --- .github/workflows/e2e-test.yaml | 1 + .github/workflows/e2e-upgrade-test.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml index 04e414b25..10e2d08b0 100644 --- a/.github/workflows/e2e-test.yaml +++ b/.github/workflows/e2e-test.yaml @@ -115,6 +115,7 @@ jobs: charts.jetstack.io:443 helm.cilium.io:443 linode.github.io:443 + *.linodeobjects.com:443 dl.k8s.io:443 cdn.dl.k8s.io:443 get.jetify.com:443 diff --git a/.github/workflows/e2e-upgrade-test.yaml b/.github/workflows/e2e-upgrade-test.yaml index c4aa7bbff..279e32dd0 100644 --- a/.github/workflows/e2e-upgrade-test.yaml +++ b/.github/workflows/e2e-upgrade-test.yaml @@ -79,6 +79,7 @@ jobs: charts.jetstack.io:443 helm.cilium.io:443 linode.github.io:443 + *.linodeobjects.com:443 dl.k8s.io:443 cdn.dl.k8s.io:443