From 69de1d270407df7328874993319b59f4d1eabdb6 Mon Sep 17 00:00:00 2001
From: Danny Rorabaugh <imnasnainaec@gmail.com>
Date: Thu, 21 May 2026 14:27:03 -0400
Subject: [PATCH 1/3] Add missing endpoints to deployment builds

---
 .github/workflows/deploy_qa.yml      | 1 +
 .github/workflows/deploy_release.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/deploy_qa.yml b/.github/workflows/deploy_qa.yml
index 00c0dbc52c..b94adbbbed 100644
--- a/.github/workflows/deploy_qa.yml
+++ b/.github/workflows/deploy_qa.yml
@@ -51,6 +51,7 @@ jobs:
             github.com:443
             mcr.microsoft.com:443
             production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
             public.ecr.aws:443
             pypi.org:443
             registry-1.docker.io:443
diff --git a/.github/workflows/deploy_release.yml b/.github/workflows/deploy_release.yml
index 16fc85af24..91095b669c 100644
--- a/.github/workflows/deploy_release.yml
+++ b/.github/workflows/deploy_release.yml
@@ -38,6 +38,7 @@ jobs:
             github.com:443
             mcr.microsoft.com:443
             production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
             public.ecr.aws:443
             pypi.org:443
             registry-1.docker.io:443

From 149466f67ed5326798cbb01ffa0af731c00e958f Mon Sep 17 00:00:00 2001
From: Danny Rorabaugh <imnasnainaec@gmail.com>
Date: Thu, 21 May 2026 14:39:53 -0400
Subject: [PATCH 2/3] Refine

---
 .github/workflows/combine_deploy_image.yml | 1 +
 .github/workflows/maintenance.yml          | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/combine_deploy_image.yml b/.github/workflows/combine_deploy_image.yml
index fc9c3afd35..65e0458a21 100644
--- a/.github/workflows/combine_deploy_image.yml
+++ b/.github/workflows/combine_deploy_image.yml
@@ -31,6 +31,7 @@ jobs:
             get.helm.sh:443
             github.com:443
             production.cloudflare.docker.com:443
+            production.cloudfront.docker.com:443
             public.ecr.aws:443
             pypi.org:443
             raw.githubusercontent.com:443
diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml
index d9a0bf78ec..d550a7aecd 100644
--- a/.github/workflows/maintenance.yml
+++ b/.github/workflows/maintenance.yml
@@ -31,7 +31,6 @@ jobs:
             auth.docker.io:443
             files.pythonhosted.org:443
             github.com:443
-            production.cloudflare.docker.com:443
             public.ecr.aws:443
             pypi.org:443
             registry-1.docker.io:443

From 0d839bb3117aa56d4dd577675df62f9651891334 Mon Sep 17 00:00:00 2001
From: Danny Rorabaugh <imnasnainaec@gmail.com>
Date: Thu, 21 May 2026 14:49:59 -0400
Subject: [PATCH 3/3] Remove other vestigial endpoints

---
 .github/workflows/maintenance.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml
index d550a7aecd..7af6f92843 100644
--- a/.github/workflows/maintenance.yml
+++ b/.github/workflows/maintenance.yml
@@ -28,12 +28,10 @@ jobs:
           allowed-endpoints: >
             *.cloudfront.net:443
             archive.ubuntu.com:80
-            auth.docker.io:443
             files.pythonhosted.org:443
             github.com:443
             public.ecr.aws:443
             pypi.org:443
-            registry-1.docker.io:443
             security.ubuntu.com:80
       # For subfolders, currently a full checkout is required.
       # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context