Adding a Cleanup Step to a Reusable Action?

In our main deployment action, we currently have 3 steps in a job that happen at different times:

When were setting up dependencies and checkout we also do the following:

  • Login to Azure
  • Get the current runner IP
  • Push the IP to Azure Storage firewall rules

When the job is finished there is a step to remove the firewall rule - this is an always() step.

I’d like to try and make the whole task re-usable - the first part is easy enough to do, but the last part I want to run always but only at the end of the job, once a deploy has been done in the parent workflow (or the job has failed)

Is this possible?

name: Azure Storage Firewall Rules

on:
  workflow_call:
    inputs:
      account_name:
        required: true
        type: string
      environment:
        required: true
        type: string
    secrets: inherit

jobs:
  add_ip:
    runs-on: ubuntu-latest
    environment: ${{ github.events.inputs.environment }}
    steps:
      - name: Get Runner IP
        id: ip
        uses: haythem/public-ip@v1.2
      - name: 'Add Runner IP to Firewall'
        id: ip_firewall
        run: |
          az storage account network-rule add \
            --account-name ${{ github.events.inputs.account_name }} \
            --action Allow \
            --ip-address "${{ steps.ip.outputs.ipv4 }}"

  remove_ip:
    runs-on: ubuntu-latest
    environment: ${{ github.events.inputs.environment }}
    steps:
      - name: 'Remove Runner IP From Firewall'
        # Always run if the ip was added to firewall
        if: always() && steps.ip_firewall.outcome == 'success'
        run: |
          az storage account network-rule remove \
            --account-name ${{ github.events.inputs.account_name }} \
            --ip-address "${{ steps.ip.outputs.ipv4 }}"