ci: expand harden-runner allowed-endpoints for v2.19.0 enforcement

harden-runner v2.19.0 enforces egress policy on Blacksmith runners,
unmasking domains that v2.18.0 silently allowed through.

- Build & Test: add us-west-2.ec2.archive.ubuntu.com and
  security.ubuntu.com for apt-get install
- Docker Build: add Cloudflare R2 buckets Docker Hub now serves
  image layers from
- NilAway: add go.dev and release-assets.githubusercontent.com for
  setup-go version resolution

Author: cpcloud

.github/workflows/ci.yml

@@ -87,7 +87,9 @@ jobs:
             ports.ubuntu.com:80
             proxy.golang.org:443
             release-assets.githubusercontent.com:443
+            security.ubuntu.com:80
             storage.googleapis.com:443
+            us-west-2.ec2.archive.ubuntu.com:80
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
@@ -394,8 +396,10 @@ jobs:
           egress-policy: block
           disable-telemetry: true
           allowed-endpoints: >
+            1ede90a8395416f286ba9f692dc6bacf.r2.cloudflarestorage.com:443
             api.github.com:443
             auth.docker.io:443
+            docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
             github.com:443
             gcr.io:443
             production.cloudflare.docker.com:443

.github/workflows/lint.yml

@@ -189,7 +189,9 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
             github.com:443
+            go.dev:443
             proxy.golang.org:443
+            release-assets.githubusercontent.com:443
             storage.googleapis.com:443
             sum.golang.org:443