Fixed IP address for workflow

Hi, we have our kubernetes clusters secured by whitelisting IP addresses. For that reason we’ve setup a VPN server through which we can connect. The VPN server is capable of connecting via Wireguard or IPSEC.

My first attempt was to setup a workflow which installs and configures a Wireguard client. The client seemed to start fine but the public IP was still of some Datacenter the runner is hosted.
Does anyone have experience with setting up a VPN client on hosted Github runners? This would be our preferred solution.

There is a public action for OpenVPN Connect-VPN · Actions · GitHub Marketplace · GitHub
Is there something similar for wireguard?

During my research I came across Self-hosted runners and as I got it they are can be used with the free plan. We have the option to run a VM in a Datacenter, which would be more effort/maintanance. But would that be a possible option? The repo with the workflow is private.

I guess that means you’re looking for a fixed IP address to allow? Fixed IPs are not something the workflow configuration supports. However, you can retrieve the IP ranges used by GitHub and sorted by purpose over the API: About GitHub's IP addresses - GitHub Docs So you could allow access for Actions runners rather than a specific host.