The current list has 4 IPv4 IP range and upon checking my server firewall(last updated 3 years ago), I can see I have the first 3 entries in there.
So in the last 3 years, Github has added 1 new IP range which is missing from my server but even then, no webhook call has ever failed to my CI server.
As a precaution I just updated my server firewall right now.
You could of course write a cron script to regularly check Github hooks IPs and update firewall if Github changes it's webhooks IPs.
Glad you got it updated before you missed an event! That's the worry that made me look for something flexible and software-defined that I could run in GitHub Actions.
The bigger worry would be if they removed some IP addresses from their list. Those IP addresses would be juicy targets for hackers to scoop up and attempt an attack knowing that people have whitelisted them and that they allow access to what is likely relatively poorly protected infrastructure.
I was doing this with Cloudflare IPs, and iptables as the firewall. Pretty simple bash script scheduled with crontab worked just fine. Was doing this on a DD-WRT flashed netgear router. There's probably something similar that can be done here
I do something similar for AWS IPs in our iptables firewalls. I create an ipset for "aws", and then create rules that match that ipset. I then have a script that runs periodically and downloads the set of AWS IPs (AWS publishes that) and writes then runs the script that creates the ipset.
The current list has 4 IPv4 IP range and upon checking my server firewall(last updated 3 years ago), I can see I have the first 3 entries in there.
So in the last 3 years, Github has added 1 new IP range which is missing from my server but even then, no webhook call has ever failed to my CI server.
As a precaution I just updated my server firewall right now.
You could of course write a cron script to regularly check Github hooks IPs and update firewall if Github changes it's webhooks IPs.