allow harden-runner to connect to any github subdomains

#1410 (comment)

Author: srabraham

.github/workflows/cicd.yml

@@ -27,10 +27,10 @@ jobs:
           disable-file-monitoring: true
           egress-policy: block
           allowed-endpoints: >
-            api.github.com:443
+            *.github.com:443
+            *.githubusercontent.com:443
             files.pythonhosted.org:443
             github.com:443
-            objects.githubusercontent.com:443
             pypi.org:443
 
       - name: Checkout source code
@@ -74,10 +74,10 @@ jobs:
           disable-file-monitoring: true
           egress-policy: block
           allowed-endpoints: >
-            api.github.com:443
+            *.github.com:443
+            *.githubusercontent.com:443
             files.pythonhosted.org:443
             github.com:443
-            objects.githubusercontent.com:443
             pypi.org:443
 
       - name: Checkout source code
@@ -115,10 +115,10 @@ jobs:
           disable-file-monitoring: true
           egress-policy: block
           allowed-endpoints: >
-            api.github.com:443
+            *.github.com:443
+            *.githubusercontent.com:443
             files.pythonhosted.org:443
             github.com:443
-            objects.githubusercontent.com:443
             pypi.org:443
 
       - name: Checkout source code
@@ -189,11 +189,11 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             *.codecov.io:443
-            api.github.com:443
+            *.github.com:443
+            *.githubusercontent.com:443
             codecov.io:443
             files.pythonhosted.org:443
             github.com:443
-            objects.githubusercontent.com:443
             pypi.org:443
             storage.googleapis.com:443
 
@@ -308,7 +308,7 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
-            api.github.com:443
+            *.github.com:443
             auth.docker.io:443
             dl-cdn.alpinelinux.org:443
             files.pythonhosted.org:443
@@ -350,7 +350,7 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
-            api.github.com:443
+            *.github.com:443
             auth.docker.io:443
             github.com:443
             production.cloudflare.docker.com:443
@@ -421,16 +421,15 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
+            *.github.com:443
+            *.githubusercontent.com:443
             655216687927.dkr.ecr.us-west-2.amazonaws.com:443
             api.ecr.us-west-2.amazonaws.com:443
             ecs.us-west-2.amazonaws.com:443
             email-smtp.us-west-2.amazonaws.com:465
             files.pythonhosted.org:443
             github.com:443
             pypi.org:443
-            raw.githubusercontent.com:443
-            api.github.com:443
-            objects.githubusercontent.com:443
 
       - name: Checkout source code
         uses: actions/checkout@v4

.github/workflows/deploy.yml

@@ -20,14 +20,13 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
+            *.github.com:443
+            *.githubusercontent.com:443
             ecs.us-west-2.amazonaws.com:443
             files.pythonhosted.org:443
             github.com:443
             pypi.org:443
-            raw.githubusercontent.com:443
             sts.us-west-2.amazonaws.com:443
-            api.github.com:443
-            objects.githubusercontent.com:443
 
       - name: Check user
         if: ${{ ! contains('["wsanchez", "mikeburg", "plapsley"]', github.actor) }}
@@ -85,11 +84,12 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
+            *.github.com:443
+            *.githubusercontent.com:443
             ecs.us-west-2.amazonaws.com:443
             files.pythonhosted.org:443
             github.com:443
             pypi.org:443
-            raw.githubusercontent.com:443
             sts.us-west-2.amazonaws.com:443
 
       - name: Check user