sch*_*oon 5 ip azure github-actions
我有一个 Azure 存储帐户。当我允许所有网络访问时,我的 Github 操作可以运行和更新我的 Azure 静态网站。
当我禁止除命名网络(147.243.0.0/16 和我的机器的 IP)之外的所有网络时,我在 Github Actions 中收到 403(请求被拒绝)错误。
我假设我需要将 GitHub 添加到这些 IP,但是当我运行时:
curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/meta
有大量的IP!我需要将它们全部添加吗?
sil*_*ent 10
I assume you want to allow the GitHub Actions runner access to your storage account? Then yes, since that is potentially a large fleet of VMs, there are ton of IPs you would need to whitelist.
The alternative is to use a few tasks inside your pipeline:
Example Code:
name: Deploy to Azure
on:
push:
branches:
- main
workflow_dispatch:
jobs:
publish:
environment: Production
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Whitelist GitHub Runner IP
uses: azure/CLI@v1
with:
inlineScript: |
set -eu
agentIP=$(curl -s https://api.ipify.org/)
az storage account network-rule add \
--resource-group "${{ secrets.RESOURCE_GROUP }}" \
--account-name "${{ secrets.STORAGE_ACCOUNT_NAME }}" \
--ip-address $agentIP
sleep 300
- name: Upload to blob storage
uses: azure/CLI@v1
with:
inlineScript: |
set -eu
az storage blob upload-batch \
--account-name "${{ secrets.STORAGE_ACCOUNT_NAME }}" \
--source ./src/ \
--destination '$web' \
--overwrite true
- name: Purge CDN endpoint
uses: azure/CLI@v1
with:
inlineScript: |
set -eu
az cdn endpoint purge \
--content-paths "/*" \
--profile-name "${{ secrets.CDN_PROFILE_NAME }}" \
--name "${{ secrets.CDN_ENDPOINT }}" \
--resource-group "${{ secrets.RESOURCE_GROUP }}"
- name: Remove GitHub Runner IP from Whitelist
if: always()
uses: azure/CLI@v1
with:
inlineScript: |
set -eu
agentIP=$(curl -s https://api.ipify.org/)
az storage account network-rule remove \
--resource-group "${{ secrets.RESOURCE_GROUP }}" \
--account-name "${{ secrets.STORAGE_ACCOUNT_NAME }}" \
--ip-address $agentIP
- name: logout
if: always()
run: |
az logout
| 归档时间: |
|
| 查看次数: |
2862 次 |
| 最近记录: |