-
Hey, Im trying to write up a quick POC for a github workflow for a node modules project that would bump versions and push to our Artifactory cloud repo. We have jfrog maintain a whitelist of the ips able to hit our repos. In the past, we have always consulted https://api.github.com/meta for the github IPs to whitelist. JFrog has added these IPs to their whitelist yet the connection from the github workflow pushing to Artifactory cloud recieves a forbidden HTTP status. My question is, what is the appropriate list of IPs to whitelist to allow agents of github actions to hit our Artifactory cloud repo? Thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 28 comments 1 reply
-
I ran this in my github actions container
It returned 35.233.207.129. This IP isnt in https://api.github.com/meta
|
Beta Was this translation helpful? Give feedback.
-
Hi @delvison, I work on the Actions product and unfortunately we don’t support stable IP addresses for Actions today (so there isn’t a set of addresses I can give you to allow). I’ve noted your feedback and we’ll incorporate it into our future plans for Actions. |
Beta Was this translation helpful? Give feedback.
-
Hi there @mcolyer , First off all, I wanted to say the Github Actions are a good addition to the Github environment. I’m really appreciating the simple setup which is required to create images specifically. I do have a question if stable IP’s are going to be added anywhere in the near future. Ideally i would also deploy the images to an environment but that’s currently not possible because we can’t allow the whole web to have access to our cluster. Any ideas how to tackle this / and will this be included in future versions? |
Beta Was this translation helpful? Give feedback.
-
Hi @mcolyer, Actions are great, but for an internal repo I would need this as well. I am wondering if any progress was made / is it on the roadmap? Thanks! |
Beta Was this translation helpful? Give feedback.
-
It’s kind of important if using Actions to perform privileged operations against external systems e.g. provisioning infra to AWS with Terraform Currently we have to whitelist all Azure Public Cloud IPs … |
Beta Was this translation helpful? Give feedback.
-
I know this thread is old. But for anybody coming from Google, here’s the documentation on this. https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#ip-addresses-of-runners-on-github-hosted-machines |
Beta Was this translation helpful? Give feedback.
-
Hi @mcolyer, is there an understanding when this functionality will be implemented? |
Beta Was this translation helpful? Give feedback.
-
You can download a list of IPs to whitelist from here: https://www.microsoft.com/en-us/download/details.aspx?id=56519 |
Beta Was this translation helpful? Give feedback.
-
Hello! What is the range to whitelist github actions please? Thanks! |
Beta Was this translation helpful? Give feedback.
-
What about using a VPN? I also was not interested in whitelisting the entirety of Azure and I noticed this package https://github.com/marketplace/actions/connect-vpn |
Beta Was this translation helpful? Give feedback.
-
Looks like this is a direct link:
Since this is a dated link, I suspect there is a better way to get the “latest” list of CIDRs, but this at least works better for scripting than the .aspx the previous responder provided. |
Beta Was this translation helpful? Give feedback.
-
Hello, I’ve created an action that queries the runner’s public IP Address. |
Beta Was this translation helpful? Give feedback.
-
Unfortunatelly “File or directory not found” |
Beta Was this translation helpful? Give feedback.
-
These are the IP addresses of GitHub-hosted runners. |
Beta Was this translation helpful? Give feedback.
-
Is there plans to narrow the range of available IPs to just a subset of “all of azure in these 5 regions” ? This would help reduce security risks for those attempting to whitelist github hosted actions runners. |
Beta Was this translation helpful? Give feedback.
-
Just adding support here - whitelisting such a huge block AzureCloud IPs is a blocker for some of us! |
Beta Was this translation helpful? Give feedback.
-
We can only agree with what has been said. We want to use GitHub Actions as a standalone CI/CD tool to deploy websites. However, many hosts restrict access to their servers via an IP allow list and refuse to allow all IP ranges from Azure due to (legitimate) security concerns. It would be really great if GitHub Actions were limited to a manageable number of static IP addresses. Thanks! |
Beta Was this translation helpful? Give feedback.
-
Bump. Being able to rely on a whitelist that isn’t 100+ records long and dynamically updating would be really nice. Use case is deploying to a server via SSH/SCP. |
Beta Was this translation helpful? Give feedback.
-
I agree with the last comments. So I would like to know if something has changed about this subject since the last github updates ? |
Beta Was this translation helpful? Give feedback.
-
Watching. Use case is running database migration script before deploying to Azure in a GitHub action workflow. Difficult to whitelist all possible IPs. |
Beta Was this translation helpful? Give feedback.
-
the ability to limit outgoing IP addresses to a specific CIDR block for a set of github actions is a must-have for any enterprise use of Github Actions where compliance with security policies is required or advisable. safe-listing all of Windows Azure is an unacceptable security risk |
Beta Was this translation helpful? Give feedback.
-
As an interim solution I dynamically add and remove the IP from the server whitelist (this assumes theres an API which allows for this, eg. AWS)
|
Beta Was this translation helpful? Give feedback.
-
on further reflection I suppose this is only an issue for the publicly hosted runners, which perhaps makes sense. by setting up a hosted runner you should have more control over the runner's IP range. |
Beta Was this translation helpful? Give feedback.
-
Would love an environment variable for the gh-runner's external IP-address. https://api.ipify.org has been failing allot lately. Maybe because allot of gh-action users are sending a requests to them 😉 . Anyway whitelisting all gh-runner addresses from https://api.github.com/meta is not a viable option. AWS for example has a limit of 60 inbound/outbound rules per security group: https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-security-groups. The current amount actions addresses in https://api.github.com/meta is 2584 (2156 ip4, 428 ip6). That amount of ips that needs whitelisting is not workable. |
Beta Was this translation helpful? Give feedback.
-
Based on @kyle-revio approach, I've created a Github Action that does exactly what he posted above. It just makes the workflows look a bit nicer and less cluttered. It uses https://api.ipify.org to determine the IP address, but you can also use your custom service and pass the IP as an argument to the action. Would come in handy if Github ever publishes the runner IP in an environment variable @robkorv Enjoy! |
Beta Was this translation helpful? Give feedback.
-
I just hit a weird problem where an azure ip was missing from the list 172.183.50.157. It's like there's a typo here:- allow 172.180.0.0/15; should that be another /15? |
Beta Was this translation helpful? Give feedback.
-
It would be really great if someone could talk to aws and get them to create a managed prefix list of ips for 3rd parties like cloudflare and github runners rather than people managing their own |
Beta Was this translation helpful? Give feedback.
-
IP addresses of GitHub-hosted runners does not work. I find there are many ips for github actions which do not exist in the list. My problem is : My requests from github actions to cloudflare have been blocked by cloudflare, because of Bot fight mode. |
Beta Was this translation helpful? Give feedback.
I know this thread is old. But for anybody coming from Google, here’s the documentation on this. https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#ip-addresses-of-runners-on-github-hosted-machines