[task] Audit workflows blocking Docker registry access

[github-actions]

Objective

Identify all workflows with firewall enabled that are blocking docker.io and need container registry access.

Context

The Daily Firewall Report (Discussion #3607) shows that docker.io is being blocked 7 times across firewall-enabled workflows. This domain is essential for pulling Docker images and should be allowlisted for workflows that need container operations.

Related to #3607

Approach

1. Review all workflows with network.firewall: true in their frontmatter
2. Check firewall logs to identify which workflows are blocking docker.io
3. Determine which workflows legitimately need Docker registry access (e.g., workflows that use containerized tools, MCP servers running in Docker, or reference container operations)
4. Create a list of workflow files that need the containers ecosystem identifier added

Files to Review

• .github/workflows/mcp-inspector.md (identified in report as blocking docker.io)
• .github/workflows/firewall.md
• .github/workflows/dev.firewall.md
• All other workflows with firewall: true

Acceptance Criteria

• List of workflows that block docker.io identified
• Each workflow assessed for legitimate Docker registry needs
• Documentation of which workflows need containers ecosystem identifier
• Results documented (comment on this issue or create a discussion)

Expected Output

A comment or discussion with:

## Workflows Needing Container Registry Access

1. `workflow-name.md` - Reason: [uses Docker/containerized MCP servers]
2. `another-workflow.md` - Reason: [description]

## Workflows That Don't Need Docker Access

1. `workflow-name.md` - Reason: [no container usage]

Related to #3607

AI generated by Plan Command for discussion #3607