Zulip Chat Archive
Stream: FLT
Topic: runners cannot access domains?
Kevin Buzzard (Feb 12 2025 at 13:12):
I've learnt from experience not to ignore emails from github even if I don't understand them. Is this something to do with FLT?
From: GitHub <marketing@github.com>
Sent: Monday, February 10, 2025 17:04
To: Buzzard, Kevin M <k.buzzard@imperial.ac.uk>
Subject: GitHub Actions: Updates to the network allow list for self-hosted runners and Azure private networkingThis email from marketing@github.com originates from outside Imperial. Do not click on links and attachments unless you recognise the sender. If you trust the sender, add them to your safe senders list to disable email stamping for this address.
With the upcoming GA of Immutable Actions, Actions will now be stored as packages in the GitHub Container Registry. We are reaching out because your runners currently cannot access one or both of the required domains.
Please ensure that your self-hosted runner allow lists are updated to accommodate the network traffic. Specifically, you should allow traffic to pkg.actions.githubusercontent .com to ensure Immutable Actions can be downloaded successfully and jobs don’t fail during setup. If you already allow *.actions.githubusercontent .com which is listed as a required domain then no action is necessary. Traffic will also be required to ghcr .io for publishing new versions of an Immutable Action in the future, which will be available with the GA release.
This update also affects runners in all versions of GitHub Enterprise Server that use the GitHub Connect feature to download actions directly from github.com. Customers are advised to update their self-hosted runner network allow lists accordingly. For further guidance on communication between self-hosted runners and GitHub, please refer to our documentation.
Additionally, our guidance for configuring Azure private networking has been updated to account for the new domains. The following IP addresses have been added to the NSG template in our documentation.
- 140.82.121.33/32
- 140.82.121.34/32
- 140.82.113.33/32
- 140.82.113.34/32
- 140.82.112.33/32
- 140.82.112.34/32
- 140.82.114.33/32
- 140.82.114.34/32
- 192.30.255.164/31
- 4.237.22.32/32
- 20.217.135.1/32
- 4.225.11.196/32
- 20.26.156.211/32
Julian Berman (Feb 12 2025 at 13:18):
Do you know whether "you" set up self-hosted runners == computers you or Imperial or Hoskinson or someone owns -- to build FLT? Probably not? And if not that probably is directed at Mathlib and its runners (which you're receiving as a maintainer? and someone else will handle it presumably, it's GitHub saying that yes, the runner can't reach some website which in the future will be mandatory to run actions)
Mario Carneiro (Feb 12 2025 at 13:22):
yeah I think this is about the hoskinson runners
Kevin Buzzard (Feb 12 2025 at 13:57):
Aah OK yes there is no CI for FLT, so this might be a false alarm in the sense that I can ignore it after all :-) (the last time I ignored an email from github, the project dashboard stopped working)
Julian Berman (Feb 12 2025 at 13:58):
(You definitely have CI? All this is CI: https://github.com/ImperialCollegeLondon/FLT/actions -- but there's no "dedicated machines you own rather than GitHub" which are running it)
Julian Berman (Feb 12 2025 at 13:59):
Ah you mean none of those are actually buliding the project? Just the blueprint?
Ruben Van de Velde (Feb 12 2025 at 14:01):
No, they also build the lean code
Ruben Van de Velde (Feb 12 2025 at 14:01):
Not that that makes a difference to github
Kevin Buzzard (Feb 12 2025 at 14:27):
I can't get cache right? I always build FLT lean code locally
Last updated: May 02 2025 at 03:31 UTC