Whitelist Github Workflow

delvison · May 23, 2020, 5:37am

Hey,

Im trying to write up a quick POC for a github workflow for a node modules project that would bump versions and push to our Artifactory cloud repo.

We have jfrog maintain a whitelist of the ips able to hit our repos. In the past, we have always consulted https://api.github.com/meta for the github IPs to whitelist. JFrog has added these IPs to their whitelist yet the connection from the github workflow pushing to Artifactory cloud recieves a forbidden HTTP status.

My question is, what is the appropriate list of IPs to whitelist to allow agents of github actions to hit our Artifactory cloud repo?

Thanks in advance!

delvison · May 23, 2020, 6:08am

I ran this in my github actions container

wget -qO- https://ipecho.net/plain ; echo

It returned 35.233.207.129.

This IP isnt in https://api.github.com/meta

$ curl https://api.github.com/meta {
  "verifiable_password_authentication": true,
  "github_services_sha": "2f2313161ed4f940a57ae3f0936eb8e9695bb8a8",
  "hooks": [
    "192.30.252.0/22",
    "185.199.108.0/22",
    "140.82.112.0/20"
  ],
  "git": [
    "192.30.252.0/22",
    "185.199.108.0/22",
    "140.82.112.0/20",
    "13.229.188.59/32",
    "13.250.177.223/32",
    "18.194.104.89/32",
    "18.195.85.27/32",
    "35.159.8.160/32",
    "52.74.223.119/32"
  ],
  "pages": [
    "192.30.252.153/32",
    "192.30.252.154/32",
    "185.199.108.153/32",
    "185.199.109.153/32",
    "185.199.110.153/32",
    "185.199.111.153/32"
  ],
  "importer": [
    "54.87.5.173",
    "54.166.52.62",
    "23.20.92.3"
  ]
}

mcolyer · May 23, 2020, 6:08am

Hi @delvison, I work on the Actions product and unfortunately we don’t support stable IP addresses for Actions today (so there isn’t a set of addresses I can give you to allow). I’ve noted your feedback and we’ll incorporate it into our future plans for Actions.

zwennesm · May 23, 2020, 6:08am

Hi there @mcolyer ,

First off all, I wanted to say the Github Actions are a good addition to the Github environment. I’m really appreciating the simple setup which is required to create images specifically.

I do have a question if stable IP’s are going to be added anywhere in the near future. Ideally i would also deploy the images to an environment but that’s currently not possible because we can’t allow the whole web to have access to our cluster.

Any ideas how to tackle this / and will this be included in future versions?

heroprotagonist · May 23, 2020, 6:08am

Hi @mcolyer,

Actions are great, but for an internal repo I would need this as well. I am wondering if any progress was made / is it on the roadmap?

Thanks!

deluzedev · May 23, 2020, 6:08am

Yes, are there any updates about this yet?

rdkls · May 23, 2020, 6:08am

It’s kind of important if using Actions to perform privileged operations against external systems e.g. provisioning infra to AWS with Terraform

Currently we have to whitelist all Azure Public Cloud IPs …

addnab · May 23, 2020, 6:08am

I know this thread is old. But for anybody coming from Google, here’s the documentation on this. https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#ip-addresses-of-runners-on-github-hosted-machines

arslanbekov · May 23, 2020, 6:08am

Hi @mcolyer, is there an understanding when this functionality will be implemented?

richienb · May 23, 2020, 6:08am

You can download a list of IPs to whitelist from here: https://www.microsoft.com/en-us/download/details.aspx?id=56519

blurp1478963 · May 23, 2020, 6:08am

Hello!

What is the range to whitelist github actions please?

Thanks!

ckovey · May 23, 2020, 6:08am

What about using a VPN? I also was not interested in whitelisting the entirety of Azure and I noticed this package https://github.com/marketplace/actions/connect-vpn

digitizdat · May 23, 2020, 6:08am

Looks like this is a direct link:

https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20200210.json

Since this is a dated link, I suspect there is a better way to get the “latest” list of CIDRs, but this at least works better for scripting than the .aspx the previous responder provided.

haythem · May 23, 2020, 6:08am

Hello,

I’ve created an action that queries the runner’s public IP Address.

https://github.com/haythem/public-ip

danieldebreczeninote · May 23, 2020, 6:08am

Unfortunatelly “File or directory not found”

dandv · May 23, 2020, 6:08am

These are the IP addresses of GitHub-hosted runners.

GoldFlsh · July 20, 2020, 8:29pm

Is there plans to narrow the range of available IPs to just a subset of “all of azure in these 5 regions” ? This would help reduce security risks for those attempting to whitelist github hosted actions runners.

jeffrey-kinesso · July 29, 2020, 1:55am

Just adding support here - whitelisting such a huge block AzureCloud IPs is a blocker for some of us!

tyrann0us · October 6, 2020, 6:35am

We can only agree with what has been said. We want to use GitHub Actions as a standalone CI/CD tool to deploy websites. However, many hosts restrict access to their servers via an IP allow list and refuse to allow all IP ranges from Azure due to (legitimate) security concerns.

It would be really great if GitHub Actions were limited to a manageable number of static IP addresses.

Thanks!