[scottydelta]

> but I don't want to expose my server to the internet with open ports.

One simple approach I take to solve this issue is by whitelisting (using ufw/VPS firewall) Github's webhook IPs listed at https://api.github.com/meta

This works flawlessly while keeping your CI server secure.

[qrkourier]

Did you find a way to auto-update your firewall from the dynamic allow list in the GitHub API?

[scottydelta]

Github rarely changes it's hooks IPs.

The current list has 4 IPv4 IP range and upon checking my server firewall(last updated 3 years ago), I can see I have the first 3 entries in there.

So in the last 3 years, Github has added 1 new IP range which is missing from my server but even then, no webhook call has ever failed to my CI server.

As a precaution I just updated my server firewall right now.

You could of course write a cron script to regularly check Github hooks IPs and update firewall if Github changes it's webhooks IPs.

[qrkourier]

Glad you got it updated before you missed an event! That's the worry that made me look for something flexible and software-defined that I could run in GitHub Actions.

[Yeroc]

The bigger worry would be if they removed some IP addresses from their list. Those IP addresses would be juicy targets for hackers to scoop up and attempt an attack knowing that people have whitelisted them and that they allow access to what is likely relatively poorly protected infrastructure.

[scottydelta]

from my previous comment:

> You could of course write a cron script to regularly check Github hooks IPs and update firewall if Github changes it's webhooks IPs.

This is way easier and simpler than any other solution. It will be a mere 6 line script.

[Spivak]

It's totally trivial in almost all setups. Here's Linux.

    ipset create ghwebhooks hash:net
    iptables -A INPUT -m set --match-set ghwebhooks src -m tcp --dport 443 -j ALLOW

    # in /etc/cron.daily
    ipset add ...
    ipset del ...
    ipset list ...
    ipset save >/etc/ipset.conf

[corytheboyd]

I was doing this with Cloudflare IPs, and iptables as the firewall. Pretty simple bash script scheduled with crontab worked just fine. Was doing this on a DD-WRT flashed netgear router. There's probably something similar that can be done here

[linsomniac]

I do something similar for AWS IPs in our iptables firewalls. I create an ipset for "aws", and then create rules that match that ipset. I then have a script that runs periodically and downloads the set of AWS IPs (AWS publishes that) and writes then runs the script that creates the ipset.