Corporate networks frequently block direct egress to public package registries — npm, PyPI, Maven Central, Docker Hub — and require everything to go through an internal proxy that itself has rate limits, cache misses, and outages. CI pipelines stall. Builds that took two minutes now take fifteen.
The targeted fix is to route just the registry hostnames through QPOL and let internal services talk over the corp network normally. CI runners get QPOL CLI as part of the runner image. A short shell snippet in the prepare step adds the tunnel rule for registry domains; the rest of the pipeline (pulling code from internal Git, talking to internal artifact stores, publishing test reports to internal dashboards) is unaffected.
Caching matters: a tunnel is fast, but not free. If your CI runs hundreds of jobs an hour and each pulls fresh from Docker Hub, the cumulative cost is real. Pair the tunnel with a local registry cache — Harbor, Artifactory, or even a thin pull-through cache — and have the cache itself fetch through QPOL. Now only cache misses traverse the tunnel.
A common gotcha is GitHub Actions' default network behaviour. The runner often resolves DNS through the corp resolver, which may return blocked-IP responses for github.com or registry-1.docker.io. Force public DNS for those names (a hosts entry or an explicit dnsmasq override) before the tunnel can do anything useful.
Self-hosted runners benefit from a dedicated outbound IP. With Personal server the egress is stable, which means you can whitelist that IP at the registry side if you ever need to (some Enterprise plans support IP-based access).