You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/github/manage-github-actions-enterprise/includes/manage-runners.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,11 +20,11 @@ The following table compares GitHub-hosted runners versus self-hosted runners. U
20
20
21
21
## Manage runners for the enterprise
22
22
23
-
Managing runners for the enterprise involves configuring and securing both GitHub-hosted and self-hosted runners to ensure efficient and secure CI/CD workflows. This includes setting up IP allow lists to control access, enhancing security by restricting runner access to specific IP addresses, and ensuring compliance with organizational policies. Proper configuration of IP allow lists for both GitHub-hosted and self-hosted runners is crucial for maintaining secure and reliable interactions between internal applications and GitHub Actions runners. Regular updates and reviews of these configurations are necessary to adapt to changes in IP address ranges and maintain optimal security.
23
+
Managing runners for the enterprise involves configuring and securing both GitHub-hosted and self-hosted runners to ensure efficient and secure CI/CD workflows. This includes setting up IP allowlists to control access, enhancing security by restricting runner access to specific IP addresses, and ensuring compliance with organizational policies. Proper configuration of IP allowlists for both GitHub-hosted and self-hosted runners is crucial for maintaining secure and reliable interactions between internal applications and GitHub Actions runners. Regular updates and reviews of these configurations are necessary to adapt to changes in IP address ranges and maintain optimal security.
24
24
25
-
### Configuring IP allow lists on GitHub-hosted and self-hosted runners
25
+
### Configuring IP allowlists on GitHub-hosted and self-hosted runners
26
26
27
-
Configuring IP allow lists helps control access to runners by restricting them to specific IP addresses. This enhances security by preventing unauthorized access but may require additional network configurations.
27
+
Configuring IP allowlists helps control access to runners by restricting them to specific IP addresses. This enhances security by preventing unauthorized access but may require additional network configurations.
28
28
29
29
|**This guide provides a detailed explanation of how**|**Self-hosted runners**|
@@ -35,7 +35,7 @@ Configuring IP allow lists helps control access to runners by restricting them t
35
35
36
36
#### Allowed IP list
37
37
38
-
An **allowed IP list** is a security feature that restricts access to services or resources based on predefined IP addresses. By configuring an IP allow list, organizations can:
38
+
An **allowed IP list** is a security feature that restricts access to services or resources based on predefined IP addresses. By configuring an IP allowlist, organizations can:
39
39
40
40
-**Enhance security:** Prevent unauthorized access by allowing only trusted IP addresses.
41
41
-**Control network Traffic:** Restrict inbound and outbound requests to known and verified IPs.
@@ -47,12 +47,12 @@ An **allowed IP list** is a security feature that restricts access to services o
47
47
| GitHub-hosted runners can be configured via GitHub’s security settings. | Self-hosted runners work well with firewalls, VPNs, or cloud security groups. |
48
48
49
49
50
-
### Configuring IP allow lists for internal applications to interact with GitHub-Hosted Runners
50
+
### Configuring IP allowlists for internal applications to interact with GitHub-Hosted Runners
51
51
52
-
To configure IP allow lists for internal applications and systems to interact with GitHub-hosted runners, you can refer to the following official GitHub documentation:
52
+
To configure IP allowlists for internal applications and systems to interact with GitHub-hosted runners, you can refer to the following official GitHub documentation:
53
53
54
54
#### 1. Understand GitHub's IP address ranges
55
-
GitHub-hosted runners operate within specific IP address ranges. To ensure your internal applications can communicate with these runners, you need to allow these IP ranges through your firewall. GitHub provides a meta API endpoint https://api.github.com/meta that lists all current IP address ranges used by GitHub services, including those for Actions runners. Regularly updating your allow lists based on this information is essential, as IP ranges can change.
55
+
GitHub-hosted runners operate within specific IP address ranges. To ensure your internal applications can communicate with these runners, you need to allow these IP ranges through your firewall. GitHub provides a meta API endpoint https://api.github.com/meta that lists all current IP address ranges used by GitHub services, including those for Actions runners. Regularly updating your allowlists based on this information is essential, as IP ranges can change.
56
56
57
57
:::image type="content" source="../media/github-runners-ip-ranges.png" alt-text="Screenshot of API response showing GitHub runners IP ranges.":::
58
58
@@ -61,16 +61,16 @@ GitHub-hosted runners operate within specific IP address ranges. To ensure your
61
61
##### a. Obtain GitHub's IP ranges:
62
62
- Use the meta API endpoint to retrieve the latest IP address ranges used by GitHub Actions runners.
63
63
64
-
##### b. Update rirewall rules:
64
+
##### b. Update firewall rules:
65
65
- Add rules to your firewall to permit inbound and outbound traffic to and from these IP ranges. This ensures that your internal systems can interact with GitHub-hosted runners without connectivity issues.
66
66
67
67
#### 3. Consider using self-hosted runners
68
-
If maintaining an IP allow list for GitHub-hosted runners is challenging due to frequent changes in IP ranges, consider setting up self-hosted runners within your network. This approach allows you to have more control over the runner environment and network configurations. However, be aware that using self-hosted runners requires additional maintenance and infrastructure management.
68
+
If maintaining an IP allowlist for GitHub-hosted runners is challenging due to frequent changes in IP ranges, consider setting up self-hosted runners within your network. This approach allows you to have more control over the runner environment and network configurations. However, be aware that using self-hosted runners requires additional maintenance and infrastructure management.
69
69
70
70
:::image type="content" source="../media/github-self-hosted-runners.png" alt-text="Screenshot of an empty runners screen.":::
71
71
72
-
#### 4. Regularly review and update allow lists
73
-
Since GitHub's IP address ranges can change, it's crucial to periodically review and update your firewall's IP allow lists. Automating this process by scripting the retrieval of IP ranges from GitHub's meta API can help ensure your allow lists remain current without manual intervention.
72
+
#### 4. Regularly review and update allowlists
73
+
Since GitHub's IP address ranges can change, it's crucial to periodically review and update your firewall's IP allowlists. Automating this process by scripting the retrieval of IP ranges from GitHub's meta API can help ensure your allowlists remain current without manual intervention.
74
74
75
75
### Effects and potential abuse vectors of enabling self-hosted runners on public repositories
0 commit comments