Chore: Add attestation endpoints to allow-list

.github/harden-runner/lfreleng-actions/README.md

@@ -0,0 +1,33 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+SPDX-FileCopyrightText: 2026 The Linux Foundation
+-->
+
+# lfreleng-actions egress allow-list
+
+`allow_list.txt` is the shared [harden-runner][hr] egress allow-list for
+the `lfreleng-actions` organisation. Workflows load it with
+[harden-runner-block-action][block] and run harden-runner in `block`
+mode, so harden-runner denies any host this file omits.
+
+Each entry is a `host[:port]` token, and a `*.host` wildcard matches
+subdomains. We keep the file sorted alphabetically (`LC_ALL=C`).
+
+## Documented entries
+
+This table records why specific endpoints appear, and does not yet
+cover every entry: tooling generated the initial list in bulk, and we
+will backfill the rest over time, potentially from the tooling that
+produced them.
+
+<!-- markdownlint-disable MD013 -->
+
+| Endpoint                                  | Source / reason                                                                                                                               |
+| ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `tuf-repo.github.com:443`                 | GitHub TUF trust root, fetched by `gh attestation verify` when checking the Sigstore provenance of the zizmor binary (zizmor security audit). |
+| `tmaproduction.blob.core.windows.net:443` | Azure blob storage that serves GitHub's artifact attestation bundles, fetched by `gh attestation verify` during the same provenance check.    |
+
+<!-- markdownlint-enable MD013 -->
+
+[hr]: https://github.com/step-security/harden-runner
+[block]: https://github.com/lfreleng-actions/harden-runner-block-action

.github/harden-runner/lfreleng-actions/allow_list.txt

@@ -1 +1 @@
-github.com:443 *.githubapp.com:443 *.githubusercontent.com:443 *.sigstore.dev:443 api.azul.com:443 api.github.com:443 app-updates.agilebits.com:443 astral.sh:443 auth.docker.io:443 azure.archive.ubuntu.com:80 build.automotivelinux.org:443 cache.agilebits.com:443 cdn.azul.com:443 deb.debian.org:80 dl-cdn.alpinelinux.org:443 dl.google.com:443 endoflife.date:443 esm.ubuntu.com:443 files.pythonhosted.org:443 ftp.mozilla.org:443 gerrit.automotivelinux.org:443 gerrit.fd.io:443 gerrit.lfbroadband.org:443 gerrit.linuxfoundation.org:443 gerrit.o-ran-sc.org:29418 gerrit.o-ran-sc.org:443 gerrit.onap.org:443 get.anchore.io:443 get.helm.sh:443 ghcr.io:443 git.opendaylight.org:443 github.com:22 grype.anchore.io:443 jenkins.fd.io:443 jenkins.lfbroadband.org:443 jenkins.o-ran-sc.org:443 jenkins.onap.org:443 jenkins.opendaylight.org:443 jira.linuxfoundation.org:443 jira.o-ran-sc.org:443 jira.onap.org:443 jira.opendaylight.org:443 lf-o-ran-sc.atlassian.net:443 lf-onap.atlassian.net:443 lf-opendaylight.atlassian.net:443 linuxfoundation.1password.com:443 linuxfoundation.org:443 motd.ubuntu.com:443 nexus.onap.org:443 nexus3.o-ran-sc.org:443 o-ran-sc.1password.com:443 packages.microsoft.com:443 prod.app-api.stepsecurity.io:443 production.cloudflare.docker.com:443 proxy.golang.org:443 pypi.org:443 registry-1.docker.io:443 releases.astral.sh:443 repo.maven.apache.org:443 repo1.maven.org:443 slack.com:443 static.rust-lang.org:443 support.linuxfoundation.org:443 test.pypi.org:443 upload.pypi.org:443 uploads.github.com:443 www.google.com:443 www.linuxfoundation.org:443
+*.githubapp.com:443 *.githubusercontent.com:443 *.sigstore.dev:443 api.azul.com:443 api.github.com:443 app-updates.agilebits.com:443 astral.sh:443 auth.docker.io:443 azure.archive.ubuntu.com:80 build.automotivelinux.org:443 cache.agilebits.com:443 cdn.azul.com:443 deb.debian.org:80 dl-cdn.alpinelinux.org:443 dl.google.com:443 endoflife.date:443 esm.ubuntu.com:443 files.pythonhosted.org:443 ftp.mozilla.org:443 gerrit.automotivelinux.org:443 gerrit.fd.io:443 gerrit.lfbroadband.org:443 gerrit.linuxfoundation.org:443 gerrit.o-ran-sc.org:29418 gerrit.o-ran-sc.org:443 gerrit.onap.org:443 get.anchore.io:443 get.helm.sh:443 ghcr.io:443 git.opendaylight.org:443 github.com:22 github.com:443 grype.anchore.io:443 jenkins.fd.io:443 jenkins.lfbroadband.org:443 jenkins.o-ran-sc.org:443 jenkins.onap.org:443 jenkins.opendaylight.org:443 jira.linuxfoundation.org:443 jira.o-ran-sc.org:443 jira.onap.org:443 jira.opendaylight.org:443 lf-o-ran-sc.atlassian.net:443 lf-onap.atlassian.net:443 lf-opendaylight.atlassian.net:443 linuxfoundation.1password.com:443 linuxfoundation.org:443 motd.ubuntu.com:443 nexus.onap.org:443 nexus3.o-ran-sc.org:443 o-ran-sc.1password.com:443 packages.microsoft.com:443 prod.app-api.stepsecurity.io:443 production.cloudflare.docker.com:443 proxy.golang.org:443 pypi.org:443 registry-1.docker.io:443 releases.astral.sh:443 repo.maven.apache.org:443 repo1.maven.org:443 slack.com:443 static.rust-lang.org:443 support.linuxfoundation.org:443 test.pypi.org:443 tmaproduction.blob.core.windows.net:443 tuf-repo.github.com:443 upload.pypi.org:443 uploads.github.com:443 www.google.com:443 www.linuxfoundation.org:443