[scottydelta]

Github rarely changes it's hooks IPs.

The current list has 4 IPv4 IP range and upon checking my server firewall(last updated 3 years ago), I can see I have the first 3 entries in there.

So in the last 3 years, Github has added 1 new IP range which is missing from my server but even then, no webhook call has ever failed to my CI server.

As a precaution I just updated my server firewall right now.

You could of course write a cron script to regularly check Github hooks IPs and update firewall if Github changes it's webhooks IPs.

[qrkourier]

Glad you got it updated before you missed an event! That's the worry that made me look for something flexible and software-defined that I could run in GitHub Actions.

[Yeroc]

The bigger worry would be if they removed some IP addresses from their list. Those IP addresses would be juicy targets for hackers to scoop up and attempt an attack knowing that people have whitelisted them and that they allow access to what is likely relatively poorly protected infrastructure.

[scottydelta]

from my previous comment:

> You could of course write a cron script to regularly check Github hooks IPs and update firewall if Github changes it's webhooks IPs.

This is way easier and simpler than any other solution. It will be a mere 6 line script.