Whitelist Github Workflow

Hey,

Im trying to write up a quick POC for a github workflow for a node modules project that would bump versions and push to our Artifactory cloud repo.

We have jfrog maintain a whitelist of the ips able to hit our repos. In the past, we have always consulted https://api.github.com/meta for the github IPs to whitelist. JFrog has added these IPs to their whitelist yet the connection from the github workflow pushing to Artifactory cloud recieves a forbidden HTTP status.

My question is, what is the appropriate list of IPs to whitelist to allow agents of github actions to hit our Artifactory cloud repo?

Thanks in advance!

2 Likes

I ran this in my github actions container

wget -qO- https://ipecho.net/plain ; echo

It returned 35.233.207.129.

This IP isnt in https://api.github.com/meta

$ curl https://api.github.com/meta {
  "verifiable_password_authentication": true,
  "github_services_sha": "2f2313161ed4f940a57ae3f0936eb8e9695bb8a8",
  "hooks": [
    "192.30.252.0/22",
    "185.199.108.0/22",
    "140.82.112.0/20"
  ],
  "git": [
    "192.30.252.0/22",
    "185.199.108.0/22",
    "140.82.112.0/20",
    "13.229.188.59/32",
    "13.250.177.223/32",
    "18.194.104.89/32",
    "18.195.85.27/32",
    "35.159.8.160/32",
    "52.74.223.119/32"
  ],
  "pages": [
    "192.30.252.153/32",
    "192.30.252.154/32",
    "185.199.108.153/32",
    "185.199.109.153/32",
    "185.199.110.153/32",
    "185.199.111.153/32"
  ],
  "importer": [
    "54.87.5.173",
    "54.166.52.62",
    "23.20.92.3"
  ]
}
2 Likes

Hi @delvison, I work on the Actions product and unfortunately we don’t support stable IP addresses for Actions today (so there isn’t a set of addresses I can give you to allow). I’ve noted your feedback and we’ll incorporate it into our future plans for Actions.

14 Likes

Hi there @mcolyer ,

First off all, I wanted to say the Github Actions are a good addition to the Github environment. I’m really appreciating the simple setup which is required to create images specifically.

I do have a question if stable IP’s are going to be added anywhere in the near future. Ideally i would also deploy the images to an environment but that’s currently not possible because we can’t allow the whole web to have access to our cluster.

Any ideas how to tackle this / and will this be included in future versions?

Hi @mcolyer,

Actions are great, but for an internal repo I would need this as well. I am wondering if any progress was made / is it on the roadmap?

Thanks!

Yes, are there any updates about this yet?

11 Likes

It’s kind of important if using Actions to perform privileged operations against external systems e.g. provisioning infra to AWS with Terraform

Currently we have to whitelist all Azure Public Cloud IPs …

3 Likes

I know this thread is old. But for anybody coming from Google, here’s the documentation on this. https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#ip-addresses-of-runners-on-github-hosted-machines

8 Likes

Hi @mcolyer, is there an understanding when this functionality will be implemented?

1 Like

You can download a list of IPs to whitelist from here: https://www.microsoft.com/en-us/download/details.aspx?id=56519

Hello!

What is the range to whitelist github actions please?

Thanks!

2 Likes

What about using a VPN?  I also was not interested in whitelisting the entirety of Azure and I noticed this package https://github.com/marketplace/actions/connect-vpn

1 Like

Looks like this is a direct link:

https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20200210.json

Since this is a dated link, I suspect there is a better way to get the “latest” list of CIDRs, but this at least works better for scripting than the .aspx the previous responder provided.

Hello,

I’ve created an action that queries the runner’s public IP Address.

https://github.com/haythem/public-ip

Unfortunatelly “File or directory not found”

These are the IP addresses of GitHub-hosted runners.

Is there plans to narrow the range of available IPs to just a subset of “all of azure in these 5 regions” ? This would help reduce security risks for those attempting to whitelist github hosted actions runners.

1 Like

Just adding support here - whitelisting such a huge block AzureCloud IPs is a blocker for some of us!

2 Likes