Using GitHub Actions with an IP allow list

We’ve recently migrated to Github Enterprise Cloud so that we can begin to leverage the IP allowlist.

It says in the documentation that we must use self-hosted runners now.

I’ve set up a test org that enforces an IP allowlist and have been able to successfully run a workflow using Github-hosted runners.

Is the above documentation still up-to-date? If it is true, could anoyone further elaborate on which features of actions won’t be available once we enforce an IP allowlist on our primary organization?

1 Like

I was able to confirm that the IP allowlist does in fact disallow Github-hosted runners from executing properly.

When attempting to run the checkout action, my workflow failed with a 403.

1 Like

You might be able to add the IP range for the hosted runners and it might work, but the problem is that IP range could change constantly.

2 Likes

Yeah, that’s my current plan.

@braedongough,
GitHub serves applications from multiple IP address ranges, which are available using the API meta API endpoint

It looks a pretty ugly and vast range of possible GitHub IP addresses related to GitHub hosted runners and all IP address ranges are subject to change.
Be aware they are shared so it would anyone can use an ACTIONS IP address as an attack vector if IP ranges added to your allow list, it would seem like it reduces the control effectiveness of your IP Allow list restriction you have configured. You may also hit problems with the granularity and number of IP address ranges to add and number of entries permitted for IP Allow configuration

2 Likes