ci: allow devbox bootstrap egress (#1073)

komer3 · web-flow · commit 2eaea1ef4abf · 2026-05-11T10:51:08.000-05:00
* ci: allow devbox bootstrap egress

* ci: relax e2e runner hardening

* ci: use ipv4 kind network for e2e

* ci: allow linode object storage egress

* ci: relax release workflow hardening

* ci: restore build push hardening

* build: bump Go toolchain to 1.25.10

* build: update x/net for vulncheck

* build: tidy Go module checksums
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -24,6 +24,7 @@ jobs:
             api.github.com:443
             github.com:443
             auth.docker.io:443
+            index.docker.io:443
             registry-1.docker.io:443
             production.cloudflare.docker.com:443
             gcr.io:443
diff --git a/.github/workflows/build_test_ci.yml b/.github/workflows/build_test_ci.yml
@@ -59,6 +59,12 @@ jobs:
             sum.golang.org:443
             *.githubusercontent.com:443
             storage.googleapis.com:443
+            get.jetify.com:443
+            get.jetpack.io:443
+            releases.jetify.com:443
+            releases.jetpack.io:443
+            artifacts.nixos.org:443
+            cache.nixos.org:443
             cli.codecov.io:443
             api.codecov.io:443
             ingest.codecov.io:443
diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml
@@ -115,8 +115,15 @@ jobs:
             charts.jetstack.io:443
             helm.cilium.io:443
             linode.github.io:443
+            *.linodeobjects.com:443
             dl.k8s.io:443
             cdn.dl.k8s.io:443
+            get.jetify.com:443
+            get.jetpack.io:443
+            releases.jetify.com:443
+            releases.jetpack.io:443
+            artifacts.nixos.org:443
+            cache.nixos.org:443
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -140,6 +147,17 @@ jobs:
           enable-cache: 'true'
           refresh-cli: 'false'
 
+      - name: Create IPv4-only kind network
+        run: |
+          # Pre-create the shared kind network as IPv4-only because
+          # harden-runner block mode trips over Docker/kind's local IPv6
+          # address advertisement during cluster setup.
+          docker network inspect kind >/dev/null 2>&1 || \
+          docker network create -d=bridge \
+            -o com.docker.network.bridge.enable_ip_masquerade=true \
+            -o com.docker.network.driver.mtu=1500 \
+            kind
+
       - name: Run E2E Test
         env:
           E2E_FLAGS: ${{ inputs.e2e-flags }}
diff --git a/.github/workflows/e2e-upgrade-test.yaml b/.github/workflows/e2e-upgrade-test.yaml
@@ -79,6 +79,7 @@ jobs:
             charts.jetstack.io:443
             helm.cilium.io:443
             linode.github.io:443
+            *.linodeobjects.com:443
             dl.k8s.io:443
             cdn.dl.k8s.io:443
 
@@ -93,6 +94,17 @@ jobs:
           go-version-file: 'go.mod'
           check-latest: true
 
+      - name: Create IPv4-only kind network
+        run: |
+          # Pre-create the shared kind network as IPv4-only because
+          # harden-runner block mode trips over Docker/kind's local IPv6
+          # address advertisement during cluster setup.
+          docker network inspect kind >/dev/null 2>&1 || \
+          docker network create -d=bridge \
+            -o com.docker.network.bridge.enable_ip_masquerade=true \
+            -o com.docker.network.driver.mtu=1500 \
+            kind
+
       - name: Run Upgrade Test
         env:
           LINODE_REGION: us-sea
diff --git a/.github/workflows/pull_request_ci.yaml b/.github/workflows/pull_request_ci.yaml
@@ -73,6 +73,12 @@ jobs:
             sum.golang.org:443
             *.githubusercontent.com:443
             storage.googleapis.com:443
+            get.jetify.com:443
+            get.jetpack.io:443
+            releases.jetify.com:443
+            releases.jetpack.io:443
+            artifacts.nixos.org:443
+            cache.nixos.org:443
             dl.k8s.io:443
             cdn.dl.k8s.io:443
 
@@ -111,6 +117,7 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
             github.com:443
+            index.docker.io:443
             proxy.golang.org:443
             sum.golang.org:443
             go.dev:443
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,7 +16,7 @@ jobs:
         uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: audit
           allowed-endpoints: >
             api.github.com:443
             github.com:443
diff --git a/go.mod b/go.mod
@@ -2,7 +2,7 @@ module github.com/linode/cluster-api-provider-linode
 
 go 1.25.0
 
-toolchain go1.25.9
+toolchain go1.25.10
 
 require (
 	github.com/akamai/AkamaiOPEN-edgegrid-golang/v12 v12.3.0
@@ -26,7 +26,7 @@ require (
 	go.uber.org/automaxprocs v1.6.0
 	go.uber.org/mock v0.6.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/mod v0.33.0
+	golang.org/x/mod v0.34.0
 	k8s.io/api v0.35.3
 	k8s.io/apimachinery v0.35.3
 	k8s.io/client-go v0.35.3
@@ -137,13 +137,13 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/ratelimit v0.3.1 // indirect
 	go.uber.org/zap v1.27.1 // indirect
-	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
 	golang.org/x/oauth2 v0.35.0 // indirect
-	golang.org/x/sys v0.42.0 // indirect
-	golang.org/x/term v0.41.0 // indirect
-	golang.org/x/text v0.35.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/term v0.42.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.42.0 // indirect
+	golang.org/x/tools v0.43.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d // indirect
diff --git a/go.sum b/go.sum
@@ -321,28 +321,28 @@ go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE7+F/fNFDSXLVYkE/Iw=
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
-golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
-golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
 golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
-golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
+golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
-golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0=
 gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
