Hello,

I currently have a bit of a hybrid setup where I have some repositories 
hosted on SourceHut that are pulled as submodules in a repository on 
GitHub. When GitHub Actions tries to clone these submodules from 
SourceHut via HTTPS, it receives a 403 response. Here is some sample 
output:

	Cloning into '/home/runner/work/forest/forest/trees/public'...
	fatal: unable to access 'https://git.sr.ht/~jonsterling/public-trees/': 
The requested URL returned error: 403
	fatal: clone of 'https://git.sr.ht/~jonsterling/public-trees' into 
submodule path '/home/runner/work/forest/forest/trees/public' failed
	Failed to clone 'trees/public'. Retry scheduled

This used to work fine as of last month. Has GitHub Actions been 
blacklisted, or is there something I need to do to enable cloning? I do 
plan to move over my CI to SourceHut entirely, but in the meanwhile I 
just wanted to check if there was an easy way to fix this.

My thanks,
Jon

Hey Jon, Azure was blacklisted for aggressive git crawling and I guess
that's where GitHub Actions run from. I don't know of a good way to
distinguish GitHub Actions from less desirable traffic coming out of
Azure (i.e. LLM scrapers), but for now I've re-enabled all of Azure and
we'll see what happens.

On 24 Jan 2025, at 14:35, Drew DeVault wrote:

> Hey Jon, Azure was blacklisted for aggressive git crawling and I guess
> that's where GitHub Actions run from. I don't know of a good way to
> distinguish GitHub Actions from less desirable traffic coming out of
> Azure (i.e. LLM scrapers), but for now I've re-enabled all of Azure 
> and
> we'll see what happens.

Hi Drew, many thanks. That sounds like an annoying situation to deal 
with — will definitely be getting my stuff of GitHub in the coming 
months. I also understand if you feel the need to re-blacklist Azure at 
some point.

Best,
Jon

Drew DeVault wrote:
> I don't know of a good way to distinguish GitHub Actions from less desirable
> traffic coming out of Azure (i.e. LLM scrapers)

Perhaps one intermediate solution would be to exempt connections from
the ban that authenticate as a (paid) SourceHut account? Seems like it
could resolve this Github Action example, though of course some
legitimate traffic would still be blocked and some illegitimate traffic
could still get through.

- Ellie

-- 
All emails sent by me are cryptographically signed.
Trust signed mail normally, trust unsigned mail little.
Get key: `gpg --locate-keys eleanor@clifford.lol'

On 2025-01-24 15:35, Drew DeVault wrote:
> Hey Jon, Azure was blacklisted for aggressive git crawling and I guess
> that's where GitHub Actions run from. I don't know of a good way to
> distinguish GitHub Actions from less desirable traffic coming out of
> Azure

Hi Drew,

It's probably not worth doing the leg work to automate this, but github 
provides the IP addresses behind an API call.

I suppose you could white list the ones currently assigned for GH 
actions: https://api.github.com/meta

Cheers,
/Marius