fix: resolve CI failures for egress policies and Python 3.7 buildpack support (GoogleCloudPlatform#388)

taeold · web-flow · commit 2de6eec6fae1 · 2025-07-22T11:51:04.000-07:00
* fix: add GitHub Actions CDN to egress allowlist

The conformance workflow was failing with ECONNREFUSED errors when trying
to download Python binaries from GitHub releases. This was caused by the
harden-runner egress policy blocking connections to the GitHub Actions
CDN IP addresses.

Added *.actions.githubusercontent.com:443 to the allowed endpoints to
fix Python setup for all versions (3.7, 3.8, etc).

* fix: remove Python 3.7 from buildpack integration tests

Google Cloud Buildpacks dropped Python 3.7 support for Ubuntu 22.04.
The version is not available in their runtime manifest.

Note: Functions Framework still supports Python 3.7, which is tested
in unit and conformance tests using GitHub Actions with Ubuntu 20.04.

* fix: use correct domain for GitHub release assets

The Python binaries are actually hosted on release-assets.githubusercontent.com,
not *.actions.githubusercontent.com

* fix: add release-assets domain to unit and conformance-asgi workflows

The same ECONNREFUSED issue was affecting multiple workflows with
harden-runner egress policies
diff --git a/.github/workflows/buildpack-integration-test.yml b/.github/workflows/buildpack-integration-test.yml
@@ -14,17 +14,6 @@ on:
 permissions: read-all
 
 jobs:
-  python37:
-    uses: GoogleCloudPlatform/functions-framework-conformance/.github/workflows/buildpack-integration-test.yml@main
-    with:
-      http-builder-source: 'tests/conformance'
-      http-builder-target: 'write_http_declarative'
-      cloudevent-builder-source: 'tests/conformance'
-      cloudevent-builder-target: 'write_cloud_event_declarative'
-      prerun: 'tests/conformance/prerun.sh ${{ github.sha }}'
-      builder-runtime: 'python37'
-      builder-runtime-version: '3.7'
-      start-delay: 5
   python38:
     uses: GoogleCloudPlatform/functions-framework-conformance/.github/workflows/buildpack-integration-test.yml@main
     with:
diff --git a/.github/workflows/conformance-asgi.yml b/.github/workflows/conformance-asgi.yml
@@ -29,6 +29,7 @@ jobs:
           proxy.golang.org:443
           pypi.org:443
           storage.googleapis.com:443
+          release-assets.githubusercontent.com:443
 
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -34,6 +34,7 @@ jobs:
           proxy.golang.org:443
           pypi.org:443
           storage.googleapis.com:443
+          release-assets.githubusercontent.com:443
 
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
@@ -54,6 +54,7 @@ jobs:
           production.cloudflare.docker.com:443
           pypi.org:443
           registry-1.docker.io:443
+          release-assets.githubusercontent.com:443
 
     - name: Checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
