Limit GLB to allowed IPs, automatically update if needed (#54242)

Author: heiskr

.github/workflows/alert-changed-branch-protections.yml

@@ -4,7 +4,7 @@ on:
   branch_protection_rule:
   workflow_dispatch:
   schedule:
-    - cron: '20 16 * * 3' # Run every Wednesday at 16:30 UTC / 8:30 PST
+    - cron: '20 16 * * 3' # Run every Wednesday at 16:20 UTC / 8:20 PST
 
 permissions:
   contents: read

.github/workflows/moda-allowed-ips.yml

@@ -0,0 +1,59 @@
+name: Update Moda allowed IPs
+
+# **What it does**: Make sure that the allowed IPs in Moda are up to date.
+# **Why we have it**: The IP ranges from Fastly can change.
+# **Who does it impact**: Docs engineering.
+
+on:
+  schedule:
+    - cron: '20 16 * * 4' # Run every Thursday at 16:20 UTC / 8:20 PST
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-moda-allowed-ips:
+    if: github.repository == 'github/docs-internal'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v4
+
+      - name: Update list of allowed IPs
+        run: |
+          echo "Getting a list of Fastly IP addresses...."
+          ips=$( \
+            curl -s https://api.fastly.com/public-ip-list \
+            | jq -r '.addresses | join(",")' \
+          )
+          echo "Got a list of Fastly IP addresses: $ips"
+
+          echo "Updating the list of allowed IPs in Moda config..."
+          yq -i ".metadata.annotations[\"moda.github.net/allowed-ips\"] = \"$ips\"" \
+            config/kubernetes/production/services/webapp.yaml
+          echo "Updated the list of allowed IPs in Moda config"
+
+          echo "Checking if there is a change to make..."
+          if git diff --quiet; then
+            echo "No changes to the allowed IPs"
+            exit 0
+          fi
+
+          echo "Change found; making a pull request..."
+          branchname=update-allowed-ips-$(date +%s)
+          git checkout -b $branchname
+          git commit -am "Update list of allowed IPs"
+          git push
+          gh pr create \
+            --title "Update list of allowed IPs" \
+            --body 'This PR updates the list of allowed IPs in Moda. It is automatically generated.' \
+            --head=$branchname
+          echo "Pull request created"
+
+      - uses: ./.github/actions/slack-alert
+        if: ${{ failure() }}
+        with:
+          slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
+          slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}

config/kubernetes/production/services/webapp.yaml

@@ -7,11 +7,8 @@ metadata:
   annotations:
     moda.github.net/domain-name: 'docs-internal.github.com'
     moda.github.net/dns-registration-enabled: 'false'
-    moda.github.net/load-balancer-type:
-      public-external-http
-      # moda.github.net/allowed-ips: '23.235.32.0/20,43.249.72.0/22,103.244.50.0/24,103.245.222.0/23,103.245.224.0/24,104.156.80.0/20,140.248.64.0/18,140.248.128.0/17,146.75.0.0/17,151.101.0.0/16,157.52.64.0/18,167.82.0.0/17,167.82.128.0/20,167.82.160.0/20,167.82.224.0/20,172.111.64.0/18,185.31.16.0/22,199.27.72.0/21,199.232.0.0/1'
-    # ipv6 addresses not included
-    # curl -i  "https://api.fastly.com/public-ip-list"
+    moda.github.net/load-balancer-type: public-external-http
+    moda.github.net/allowed-ips: 23.235.32.0/20,43.249.72.0/22,103.244.50.0/24,103.245.222.0/23,103.245.224.0/24,104.156.80.0/20,140.248.64.0/18,140.248.128.0/17,146.75.0.0/17,151.101.0.0/16,157.52.64.0/18,167.82.0.0/17,167.82.128.0/20,167.82.160.0/20,167.82.224.0/20,172.111.64.0/18,185.31.16.0/22,199.27.72.0/21,199.232.0.0/16
 spec:
   ports:
     - name: http

src/workflows/tests/actions-workflows.ts

@@ -10,7 +10,7 @@ import { chain, get } from 'lodash-es'
 const githubOwnedActionsRegex =
   /^(actions\/(cache|checkout|download-artifact|upload-artifact)@v\d+(\.\d+)*)$/
 const actionHashRegexp = /^[A-Za-z0-9-/]+@[0-9a-f]{40}$/
-const checkoutRegexp = /^[actions/checkout]+@[0-9a-f]{40}$/
+const checkoutRegexp = /^[actions/checkout]+@(v\d+(\.\d+)*|[0-9a-f]{40})$/
 const permissionsRegexp = /(read|write)/
 
 type WorkflowMeta = {