azureipgithub-actions

Which IPs to allow in Azure for Github Actions?


I have an Azure storage account. When I allow all networks to it, my Github Actions can run and update my Azure static website.

When I disallow all but named networks (147.243.0.0/16 and my machine's IP) I get a 403 (request denied) error in Github Actions.

I assume I need to add GitHub to these IPs but when I run:

curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/meta

there are tons of IPs! Do I need to add them all?


Solution

  • I assume you want to allow the GitHub Actions runner access to your storage account? Then yes, since that is potentially a large fleet of VMs, there are ton of IPs you would need to whitelist.

    The alternative is to use a few tasks inside your pipeline:

    1. look up the IP of the runner, e.g. using https://api.ipify.org
    2. Add this IP to the allow-list using AZ CLI
    3. Do your actual work on storage
    4. Remove the allow entry again through CLI

    Example Code:

    
    name: Deploy to Azure
    on:
      push:
        branches:
          - main
      workflow_dispatch:
    jobs:
      publish:
        environment: Production
        runs-on: ubuntu-latest
        steps:
    
          - uses: actions/checkout@v2
    
          - uses: azure/login@v1
            with:
              creds: ${{ secrets.AZURE_CREDENTIALS }}
    
          - name: Whitelist GitHub Runner IP
            uses: azure/CLI@v1
            with:
              inlineScript: |
                set -eu
                agentIP=$(curl -s https://api.ipify.org/)
                az storage account network-rule add \
                  --resource-group "${{ secrets.RESOURCE_GROUP }}" \
                  --account-name "${{ secrets.STORAGE_ACCOUNT_NAME }}" \
                  --ip-address $agentIP
                sleep 300
    
          - name: Upload to blob storage
            uses: azure/CLI@v1
            with:
              inlineScript: |
                set -eu
                az storage blob upload-batch \
                  --account-name "${{ secrets.STORAGE_ACCOUNT_NAME }}" \
                  --source ./src/ \
                  --destination '$web' \
                  --overwrite true
    
          - name: Purge CDN endpoint
            uses: azure/CLI@v1
            with:
              inlineScript: |
                set -eu
                az cdn endpoint purge \
                  --content-paths  "/*"  \
                  --profile-name "${{ secrets.CDN_PROFILE_NAME }}" \
                  --name "${{ secrets.CDN_ENDPOINT }}" \
                  --resource-group "${{ secrets.RESOURCE_GROUP }}"
    
          - name: Remove GitHub Runner IP from Whitelist
            if: always()
            uses: azure/CLI@v1
            with:
              inlineScript: |
                set -eu
                agentIP=$(curl -s https://api.ipify.org/)
                az storage account network-rule remove  \
                  --resource-group "${{ secrets.RESOURCE_GROUP }}" \
                  --account-name "${{ secrets.STORAGE_ACCOUNT_NAME }}" \
                  --ip-address $agentIP
    
          - name: logout
            if: always()
            run: |
              az logout