Skip to content

fix: resolve CI failures for egress policies and Python 3.7 buildpack support #388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jul 22, 2025

Conversation

taeold
Copy link
Contributor

@taeold taeold commented Jul 22, 2025

Summary

Fixes CI/CD failures across multiple workflows due to egress policy blocking and buildpack version support issues.

Problems Fixed

1. ECONNREFUSED Errors in Multiple Workflows

The following workflows were failing with connection refused errors when downloading Python:

  • Python Conformance CI - All Python versions (3.7-3.12)
  • Python Unit CI - Python 3.7 and 3.8
  • Python Conformance CI (asgi) - Python 3.8

Error:

Download from "https://github.com/actions/python-versions/releases/download/..."
connect ECONNREFUSED 54.185.253.63:443

Root Cause: The harden-runner egress policies were blocking connections to GitHub's release assets CDN.

Solution: Added release-assets.githubusercontent.com:443 to the allowed endpoints in:

  • .github/workflows/conformance.yml
  • .github/workflows/unit.yml
  • .github/workflows/conformance-asgi.yml

2. Buildpack Integration Test - Python 3.7 Failure

The buildpack test was failing with:

invalid Python version specified: failed to resolve version matching: 3.7.
You may need to use a different builder.

Root Cause: Google Cloud Buildpacks dropped Python 3.7 support for Ubuntu 22.04. The version is not available in https://dl.google.com/runtimes/ubuntu2204/python/version.json

Solution: Removed Python 3.7 from buildpack integration tests. Note that Functions Framework still supports Python 3.7, which continues to be tested in unit and conformance tests.

Test Plan

  • Conformance workflow should pass for all Python versions (3.7-3.12)
  • Unit tests should pass for all Python versions across all platforms
  • Conformance ASGI workflow should pass for Python 3.8-3.12
  • Buildpack integration tests should pass for Python 3.8-3.11

taeold added 4 commits July 22, 2025 09:47
The conformance workflow was failing with ECONNREFUSED errors when trying
to download Python binaries from GitHub releases. This was caused by the
harden-runner egress policy blocking connections to the GitHub Actions
CDN IP addresses.

Added *.actions.githubusercontent.com:443 to the allowed endpoints to
fix Python setup for all versions (3.7, 3.8, etc).
Google Cloud Buildpacks dropped Python 3.7 support for Ubuntu 22.04.
The version is not available in their runtime manifest.

Note: Functions Framework still supports Python 3.7, which is tested
in unit and conformance tests using GitHub Actions with Ubuntu 20.04.
The Python binaries are actually hosted on release-assets.githubusercontent.com,
not *.actions.githubusercontent.com
The same ECONNREFUSED issue was affecting multiple workflows with
harden-runner egress policies
@taeold taeold changed the title fix: add GitHub Actions CDN to egress allowlist fix: resolve CI failures for egress policies and Python 3.7 buildpack support Jul 22, 2025
@taeold taeold merged commit 2de6eec into GoogleCloudPlatform:main Jul 22, 2025
51 checks passed
@taeold taeold deleted the fix-github-actions-egress branch July 22, 2025 18:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants