From 27cfbb13bacdad3bfbebca6fcfb08a5d718a1d52 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Fri, 29 Oct 2021 05:57:11 -0400 Subject: [PATCH] actions: clarify IP address ranges for self hosted runners (#22460) * actions: don't recommend users allow-list our hosted runners There are too many IP addresses for our hosted runners for users to use them as an allow-list. In fact, we have a note where we _don't_ recommend that they use this. Remove a contradictory sentence below. * ip addresses: clarify what these ip addresses are * self-hosted: clarify inbound/outbound requirements * Update content/actions/hosting-your-own-runners/about-self-hosted-runners.md * Update content/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses.md Co-authored-by: hubwriter --- .../hosting-your-own-runners/about-self-hosted-runners.md | 2 ++ .../about-github-hosted-runners.md | 4 +++- .../about-githubs-ip-addresses.md | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/content/actions/hosting-your-own-runners/about-self-hosted-runners.md b/content/actions/hosting-your-own-runners/about-self-hosted-runners.md index 99321bd11c..c35252201e 100644 --- a/content/actions/hosting-your-own-runners/about-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/about-self-hosted-runners.md @@ -137,6 +137,8 @@ If you use an IP address allow list for your {% data variables.product.prodname_ {% ifversion fpt or ghec %} +Since the self-hosted runner opens a connection to {% data variables.product.prodname_dotcom %}, you do not need to allow {% data variables.product.prodname_dotcom %} to make inbound connections to your self-hosted runner. + You must ensure that the machine has the appropriate network access to communicate with the {% data variables.product.prodname_dotcom %} URLs listed below. {% note %} diff --git a/content/actions/using-github-hosted-runners/about-github-hosted-runners.md b/content/actions/using-github-hosted-runners/about-github-hosted-runners.md index 9472132cdc..3dbd8e8fef 100644 --- a/content/actions/using-github-hosted-runners/about-github-hosted-runners.md +++ b/content/actions/using-github-hosted-runners/about-github-hosted-runners.md @@ -106,9 +106,11 @@ You can install additional software on {% data variables.product.prodname_dotcom {% endnote %} +To get a list of IP address ranges that {% data variables.product.prodname_actions %} uses for {% data variables.product.prodname_dotcom %}-hosted runners, you can use the {% data variables.product.prodname_dotcom %} REST API. For more information, see the `actions` key in the response of the "[Get GitHub meta information](/rest/reference/meta#get-github-meta-information)" endpoint. + Windows and Ubuntu runners are hosted in Azure and subsequently have the same IP address ranges as the Azure datacenters. macOS runners are hosted in {% data variables.product.prodname_dotcom %}'s own macOS cloud. -To get a list of IP address ranges that {% data variables.product.prodname_actions %} uses for {% data variables.product.prodname_dotcom %}-hosted runners, you can use the {% data variables.product.prodname_dotcom %} REST API . For more information, see the `actions` key in the response of the "[Get GitHub meta information](/rest/reference/meta#get-github-meta-information)" endpoint. You can use this list of IP addresses if you require an allow-list to prevent unauthorized access to your internal resources. +Since there are so many IP address ranges for {% data variables.product.prodname_dotcom %}-hosted runners, we do not recommend that you use these as allow-lists for your internal resources. The list of {% data variables.product.prodname_actions %} IP addresses returned by the API is updated once a week. diff --git a/content/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses.md b/content/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses.md index 4c9cbd8615..c23c0e6cc6 100644 --- a/content/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses.md +++ b/content/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses.md @@ -27,6 +27,8 @@ You can retrieve a list of {% data variables.product.prodname_dotcom %}'s IP add {% endnote %} +These IP addresses are used by {% data variables.product.prodname_dotcom %} to serve our content, deliver webhooks, and perform hosted {% data variables.product.prodname_actions %} builds. + These ranges are in [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation). You can use an online conversion tool such as this [CIDR / VLSM Supernet Calculator](http://www.subnet-calculator.com/cidr.php) to convert from CIDR notation to IP address ranges. We make changes to our IP addresses from time to time. We do not recommend allowing by IP address, however if you use these IP ranges we strongly encourage regular monitoring of our API.