[plan] Add package registry and CDN allowlists to firewall configuration

[github-actions]

Objective

Add commonly-used package registries and CDNs to the firewall allowlist to reduce legitimate request denials while maintaining security.

Context

The Firewall Report (referenced in discussion #7407) shows frequent blocks of CDN and registry domains. Workflows legitimately need access to npm, PyPI, Docker Hub, and common CDNs for package installation and dependency resolution.

Approach

1. Review firewall denial logs to identify legitimate package registry and CDN domains
2. Create a standard allowlist for common registries:
   • registry.npmjs.org (npm)
   • pypi.org, files.pythonhosted.org (PyPI)
   • registry.hub.docker.com (Docker Hub)
   • Common CDNs used by these services
3. Document the allowlist in workflow configuration documentation
4. Recommend workflows include these in their network.allowed configuration
5. Consider creating a reusable network config snippet

Files to Create/Modify

• Documentation file explaining standard network allowlists
• Example workflow showing proper network configuration
• Possibly: Shared YAML anchor or template for common network configs

Example Configuration

network:
  allowed:
    - "registry.npmjs.org"
    - "pypi.org"
    - "files.pythonhosted.org"
    - "registry.hub.docker.com"

Acceptance Criteria

• Standard allowlist documented
• Example configurations provided
• Workflows updated to use allowlists where needed
• Firewall denial rate decreases for legitimate registry access
• No security regressions (overly broad allowlists)

Expected Impact

• Reduces firewall denial rate for legitimate operations
• Standardizes network configuration across workflows
• Enables proper dependency installation
• Maintains security posture
  Related to [plan] Address DeepReport Intelligence Briefing findings (Dec 23, 2025) #7410

AI generated by Plan Command for discussion #7407

[pelikhan]

See existing sets python, node, go ,...