From c2ca5c924e11d00042df5cf52995d48e9b224df0 Mon Sep 17 00:00:00 2001 From: Daniel Young Lee Date: Tue, 22 Jul 2025 09:47:34 -0700 Subject: [PATCH 1/4] fix: add GitHub Actions CDN to egress allowlist The conformance workflow was failing with ECONNREFUSED errors when trying to download Python binaries from GitHub releases. This was caused by the harden-runner egress policy blocking connections to the GitHub Actions CDN IP addresses. Added *.actions.githubusercontent.com:443 to the allowed endpoints to fix Python setup for all versions (3.7, 3.8, etc). --- .github/workflows/conformance.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 9dde6036..ff662585 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -34,6 +34,7 @@ jobs: proxy.golang.org:443 pypi.org:443 storage.googleapis.com:443 + *.actions.githubusercontent.com:443 - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From 67473286afb752c2ac29f002dc3c8b357f5aaf26 Mon Sep 17 00:00:00 2001 From: Daniel Young Lee Date: Tue, 22 Jul 2025 10:00:10 -0700 Subject: [PATCH 2/4] fix: remove Python 3.7 from buildpack integration tests Google Cloud Buildpacks dropped Python 3.7 support for Ubuntu 22.04. The version is not available in their runtime manifest. Note: Functions Framework still supports Python 3.7, which is tested in unit and conformance tests using GitHub Actions with Ubuntu 20.04. --- .github/workflows/buildpack-integration-test.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.github/workflows/buildpack-integration-test.yml b/.github/workflows/buildpack-integration-test.yml index 234c24ef..2c028fa9 100644 --- a/.github/workflows/buildpack-integration-test.yml +++ b/.github/workflows/buildpack-integration-test.yml @@ -14,17 +14,6 @@ on: permissions: read-all jobs: - python37: - uses: GoogleCloudPlatform/functions-framework-conformance/.github/workflows/buildpack-integration-test.yml@main - with: - http-builder-source: 'tests/conformance' - http-builder-target: 'write_http_declarative' - cloudevent-builder-source: 'tests/conformance' - cloudevent-builder-target: 'write_cloud_event_declarative' - prerun: 'tests/conformance/prerun.sh ${{ github.sha }}' - builder-runtime: 'python37' - builder-runtime-version: '3.7' - start-delay: 5 python38: uses: GoogleCloudPlatform/functions-framework-conformance/.github/workflows/buildpack-integration-test.yml@main with: From 54e054d1bc8799eda046fc948a6ca80398bd19c7 Mon Sep 17 00:00:00 2001 From: Daniel Young Lee Date: Tue, 22 Jul 2025 10:14:45 -0700 Subject: [PATCH 3/4] fix: use correct domain for GitHub release assets The Python binaries are actually hosted on release-assets.githubusercontent.com, not *.actions.githubusercontent.com --- .github/workflows/conformance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index ff662585..7d10b8af 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -34,7 +34,7 @@ jobs: proxy.golang.org:443 pypi.org:443 storage.googleapis.com:443 - *.actions.githubusercontent.com:443 + release-assets.githubusercontent.com:443 - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From 57bc14672c9d317bff2923692be0842dbbb7d783 Mon Sep 17 00:00:00 2001 From: Daniel Young Lee Date: Tue, 22 Jul 2025 11:30:51 -0700 Subject: [PATCH 4/4] fix: add release-assets domain to unit and conformance-asgi workflows The same ECONNREFUSED issue was affecting multiple workflows with harden-runner egress policies --- .github/workflows/conformance-asgi.yml | 1 + .github/workflows/unit.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/conformance-asgi.yml b/.github/workflows/conformance-asgi.yml index a62fcb71..904a7773 100644 --- a/.github/workflows/conformance-asgi.yml +++ b/.github/workflows/conformance-asgi.yml @@ -29,6 +29,7 @@ jobs: proxy.golang.org:443 pypi.org:443 storage.googleapis.com:443 + release-assets.githubusercontent.com:443 - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index 32b34fdb..28ed5b1e 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -54,6 +54,7 @@ jobs: production.cloudflare.docker.com:443 pypi.org:443 registry-1.docker.io:443 + release-assets.githubusercontent.com:443 - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2