azureipgithub-actions

Which IPs to allow in Azure for Github Actions?

I have an Azure storage account. When I allow all networks to it, my Github Actions can run and update my Azure static website.

When I disallow all but named networks (147.243.0.0/16 and my machine's IP) I get a 403 (request denied) error in Github Actions.

I assume I need to add GitHub to these IPs but when I run:

curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/meta

there are tons of IPs! Do I need to add them all?

Solution

  • I assume you want to allow the GitHub Actions runner access to your storage account? Then yes, since that is potentially a large fleet of VMs, there are ton of IPs you would need to whitelist.

    The alternative is to use a few tasks inside your pipeline:

    1. look up the IP of the runner, e.g. using https://api.ipify.org
    2. Add this IP to the allow-list using AZ CLI
    3. Do your actual work on storage
    4. Remove the allow entry again through CLI

    Example Code:

    
name: Deploy to Azure
on:
  push:
    branches:
      - main
  workflow_dispatch:
jobs:
  publish:
    environment: Production
    runs-on: ubuntu-latest
    steps:

      - uses: actions/checkout@v2

      - uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      - name: Whitelist GitHub Runner IP
        uses: azure/CLI@v1
        with:
          inlineScript: |
            set -eu
            agentIP=$(curl -s https://api.ipify.org/)
            az storage account network-rule add \
              --resource-group "${{ secrets.RESOURCE_GROUP }}" \
              --account-name "${{ secrets.STORAGE_ACCOUNT_NAME }}" \
              --ip-address $agentIP
            sleep 300

      - name: Upload to blob storage
        uses: azure/CLI@v1
        with:
          inlineScript: |
            set -eu
            az storage blob upload-batch \
              --account-name "${{ secrets.STORAGE_ACCOUNT_NAME }}" \
              --source ./src/ \
              --destination '$web' \
              --overwrite true

      - name: Purge CDN endpoint
        uses: azure/CLI@v1
        with:
          inlineScript: |
            set -eu
            az cdn endpoint purge \
              --content-paths  "/*"  \
              --profile-name "${{ secrets.CDN_PROFILE_NAME }}" \
              --name "${{ secrets.CDN_ENDPOINT }}" \
              --resource-group "${{ secrets.RESOURCE_GROUP }}"

      - name: Remove GitHub Runner IP from Whitelist
        if: always()
        uses: azure/CLI@v1
        with:
          inlineScript: |
            set -eu
            agentIP=$(curl -s https://api.ipify.org/)
            az storage account network-rule remove  \
              --resource-group "${{ secrets.RESOURCE_GROUP }}" \
              --account-name "${{ secrets.STORAGE_ACCOUNT_NAME }}" \
              --ip-address $agentIP

      - name: logout
        if: always()
        run: |
          az logout