ci: pin Docker Hub R2 buckets instead of wildcarding Cloudflare

cpcloud · cpcloud · commit 1a81afcb35ee · 2026-04-20T07:53:00.000-04:00
*.r2.cloudflarestorage.com allows egress to any Cloudflare R2
customer's bucket. Pin the two Docker Hub buckets explicitly so
the allowlist only covers Docker Inc's account.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -395,17 +395,22 @@ jobs:
           deploy-on-self-hosted-vm: true
           egress-policy: block
           disable-telemetry: true
+          # The two r2.cloudflarestorage.com entries are Docker Hub's
+          # R2 buckets (layers and images). The hashed subdomains are
+          # Docker Inc's Cloudflare account IDs -- stable per-account
+          # but not self-describing; update if Docker Hub reshards.
           allowed-endpoints: >
+            1ede90a8395416f286ba9f692dc6bacf.r2.cloudflarestorage.com:443
             api.github.com:443
             auth.docker.io:443
+            docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
             github.com:443
             gcr.io:443
             production.cloudflare.docker.com:443
             proxy.golang.org:443
             registry-1.docker.io:443
             storage.googleapis.com:443
             sum.golang.org:443
-            *.r2.cloudflarestorage.com:443
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
