Whitelist Github Workflow

delvison · December 10, 2018, 8:29pm

Hey,

Im trying to write up a quick POC for a github workflow for a node modules project that would bump versions and push to our Artifactory cloud repo.

We have jfrog maintain a whitelist of the ips able to hit our repos. In the past, we have always consulted https://api.github.com/meta for the github IPs to whitelist. JFrog has added these IPs to their whitelist yet the connection from the github workflow pushing to Artifactory cloud recieves a forbidden HTTP status.

My question is, what is the appropriate list of IPs to whitelist to allow agents of github actions to hit our Artifactory cloud repo?

Thanks in advance!

delvison · December 10, 2018, 8:35pm

I ran this in my github actions container

wget -qO- https://ipecho.net/plain ; echo

It returned 35.233.207.129.

This IP isnt in https://api.github.com/meta

$ curl https://api.github.com/meta {
  "verifiable_password_authentication": true,
  "github_services_sha": "2f2313161ed4f940a57ae3f0936eb8e9695bb8a8",
  "hooks": [
    "192.30.252.0/22",
    "185.199.108.0/22",
    "140.82.112.0/20"
  ],
  "git": [
    "192.30.252.0/22",
    "185.199.108.0/22",
    "140.82.112.0/20",
    "13.229.188.59/32",
    "13.250.177.223/32",
    "18.194.104.89/32",
    "18.195.85.27/32",
    "35.159.8.160/32",
    "52.74.223.119/32"
  ],
  "pages": [
    "192.30.252.153/32",
    "192.30.252.154/32",
    "185.199.108.153/32",
    "185.199.109.153/32",
    "185.199.110.153/32",
    "185.199.111.153/32"
  ],
  "importer": [
    "54.87.5.173",
    "54.166.52.62",
    "23.20.92.3"
  ]
}

mcolyer · December 10, 2018, 10:13pm

Hi @delvison, I work on the Actions product and unfortunately we don’t support stable IP addresses for Actions today (so there isn’t a set of addresses I can give you to allow). I’ve noted your feedback and we’ll incorporate it into our future plans for Actions.

zwennesm · March 15, 2019, 10:50am

Hi there @mcolyer ,

First off all, I wanted to say the Github Actions are a good addition to the Github environment. I’m really appreciating the simple setup which is required to create images specifically.

I do have a question if stable IP’s are going to be added anywhere in the near future. Ideally i would also deploy the images to an environment but that’s currently not possible because we can’t allow the whole web to have access to our cluster.

Any ideas how to tackle this / and will this be included in future versions?

heroprotagonist · June 18, 2019, 7:42pm

Hi @mcolyer,

Actions are great, but for an internal repo I would need this as well. I am wondering if any progress was made / is it on the roadmap?

Thanks!

deluzedev · July 30, 2019, 8:41am

Yes, are there any updates about this yet?

rdkls · October 17, 2019, 12:16am

It’s kind of important if using Actions to perform privileged operations against external systems e.g. provisioning infra to AWS with Terraform

Currently we have to whitelist all Azure Public Cloud IPs …

addnab · October 26, 2019, 2:48am

I know this thread is old. But for anybody coming from Google, here’s the documentation on this. https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#ip-addresses-of-runners-on-github-hosted-machines

arslanbekov · January 21, 2020, 4:51pm

Hi @mcolyer, is there an understanding when this functionality will be implemented?

richienb · February 12, 2020, 3:59am

You can download a list of IPs to whitelist from here: https://www.microsoft.com/en-us/download/details.aspx?id=56519

blurp1478963 · February 12, 2020, 12:59pm

Hello!

What is the range to whitelist github actions please?

Thanks!

ckovey · February 16, 2020, 2:54pm

What about using a VPN? I also was not interested in whitelisting the entirety of Azure and I noticed this package https://github.com/marketplace/actions/connect-vpn

digitizdat · February 21, 2020, 6:36pm

Looks like this is a direct link:

https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20200210.json

Since this is a dated link, I suspect there is a better way to get the “latest” list of CIDRs, but this at least works better for scripting than the .aspx the previous responder provided.

haythem · March 29, 2020, 7:34pm

Hello,

I’ve created an action that queries the runner’s public IP Address.

https://github.com/haythem/public-ip

danieldebreczeninote · April 24, 2020, 8:13am

Unfortunatelly “File or directory not found”

dandv · April 30, 2020, 9:56am

These are the IP addresses of GitHub-hosted runners.

GoldFlsh · July 20, 2020, 8:29pm

Is there plans to narrow the range of available IPs to just a subset of “all of azure in these 5 regions” ? This would help reduce security risks for those attempting to whitelist github hosted actions runners.

jeffrey-kinesso · July 29, 2020, 1:55am

Just adding support here - whitelisting such a huge block AzureCloud IPs is a blocker for some of us!

tyrann0us · October 6, 2020, 6:35am

We can only agree with what has been said. We want to use GitHub Actions as a standalone CI/CD tool to deploy websites. However, many hosts restrict access to their servers via an IP allow list and refuse to allow all IP ranges from Azure due to (legitimate) security concerns.

It would be really great if GitHub Actions were limited to a manageable number of static IP addresses.

Thanks!

averypmc · April 28, 2021, 2:51am

Bump. Being able to rely on a whitelist that isn’t 100+ records long and dynamically updating would be really nice.

Use case is deploying to a server via SSH/SCP.