From bb09db95dc8b1933b2ec849022942f87db6cb0e2 Mon Sep 17 00:00:00 2001
From: Daniel Lee <danielylee@google.com>
Date: Wed, 17 Jun 2026 17:31:51 +0000
Subject: [PATCH] fix(ci): update allowed endpoints for harden-runner

---
 .github/workflows/dependency-review.yml | 2 ++
 .github/workflows/unit.yml              | 1 +
 2 files changed, 3 insertions(+)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 5dbfda76..bcf29c0b 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -22,7 +22,9 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
+            api.deps.dev:443
             api.github.com:443
+            api.securityscorecards.dev:443
             github.com:443
       - name: 'Checkout Repository'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
index adab381d..2901f5f3 100644
--- a/.github/workflows/unit.yml
+++ b/.github/workflows/unit.yml
@@ -42,6 +42,7 @@ jobs:
           github.com:443
           objects.githubusercontent.com:443
           production.cloudflare.docker.com:443
+          production.cloudfront.docker.com:443
           pypi.org:443
           registry-1.docker.io:443
           release-assets.githubusercontent.com:443