Comment by denysvitali

TL;DR: Chrome introduced a new feature that in certain scenarios blocks "private network" access which in turn break CORS unless you grant the "Local network access" permission (!!!) on the website.

In this particular case, GH Actions didn't show the logs because those are stored on Azure Blob storage - which was routed via the VPN in our setup, and since the IP is considered "private network" by Chrome it gets blocked unless the user gives an explicit additional. Safari and Firefox were fine.

https://developer.chrome.com/blog/local-network-access