Further GHA / harden runner tweaks

zerolab · zerolab · commit b39f564e3fad · 2025-10-18T12:23:47.000+01:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -21,10 +21,16 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
-            files.pythonhosted.org:443
             github.com:443
-            pypi.org:443
             api.github.com:443
+            ghcr.io:443
+            pkg-containers.githubusercontent.com:443
+            pypi.org:443
+            upload.pypi.org:443
+            files.pythonhosted.org:443
+            fulcio.sigstore.dev:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
 
       - uses: actions/checkout@v5
         with:
