1 min read

Categories

  • azure
  • cosmos
  • github

I’m using Github Actions to automatically archive journey data from my car. For now I’m writing the data to a local sqlite database stored in a private Git repo, but I’d like to push it to a “remote” database so that the data is more easily accessible. The plan is to use Github Actions to run a script to write the data to a Azure CosmosDB “Free Tier” instance.

I’ve configured the Cosmos firewall to only allow access from whitelisted IPs, so I will need to add all the Github Action IP ranges to this whitelist. These IPs can be found at api.github.com/meta, under “actions”. I’ll run the script locally this time, but if I need to automate this in an Action as well then I could use the Azure Login Action to authenticate before running the CLI in a workflow.

Here’s the script for fetching the list of CIDR ranges (taking only the valid IPv4 ranges, since it doesn’t look like IPv6 is supported yet) and then passing the list as a parameter to the “az cosmosdb update” command:

    # Build the iplist
    for ip in $(curl https://api.github.com/meta | jq -r '.actions | .[]'); do
    if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9][0-9]$ ]]; then
        iplist="$ip,$iplist"
    fi
    done;

    # Remove the trailing comma
    iplist=${iplist: : -1}

    # Update Cosmos - may take a few minutes to execute
    az cosmosdb update --resource-group $rgname --name $dbname --ip-range-filter $iplist

Once the az command is finished then you should see a long list of CIDR ranges under the firewall settings.

CosmosDB Firewall Settings

It’s a long list of ranges, but it’s better than exposing the database to the entire Internet.