Feature Request: Organization-level setting to allow GitHub-hosted runners to bypass IP restrictions

[faciltech-rpgj]

🏷️ Discussion Type

Product Feedback

💬 Feature/Topic Area

ARC (Actions Runner Controller)

Discussion Details

Description:

We would appreciate if GitHub could consider adding a native organization-level setting to streamline IP-based access control for teams using both self-hosted and GitHub-hosted runners.

Currently, organizations with IP filtering requirements must manually maintain a whitelist of GitHub Actions runner IP addresses by regularly querying the Meta API and updating their network policies. While this approach works, it creates an ongoing operational burden that could be better handled by GitHub itself.

Proposed Solution:

We kindly suggest adding a toggle in the organization's Security settings (something like):

• ☑️ Allow GitHub-hosted runners

When enabled, this setting would automatically permit traffic from:

• actions - GitHub-hosted runner IP ranges
• actions_macos - GitHub-hosted macOS runner IP ranges

While continuing to enforce IP restrictions on all other external traffic.

Potential Benefits:

1. Reduced Operational Overhead - Teams would no longer need to implement custom processes to track and update GitHub's own IP ranges
2. Simplified Security Management - IP allowlists remain more maintainable and easier to audit
3. Natural Security Boundary - Distinguishing between "GitHub's trusted infrastructure" and "external third-party access" is a logical separation
4. Automatic Updates - GitHub could transparently manage IP changes without requiring manual customer intervention
5. Consistent with Existing Patterns - This would align well with other organization-level security settings

Why This Makes Sense:

Many teams need to prevent source code from leaving company infrastructure for compliance reasons, while still wanting to leverage GitHub's managed runner infrastructure for CI/CD. Having to maintain a separate process to keep GitHub's own IPs current seems like work that could naturally be handled by GitHub.

This would be a valuable addition to GitHub's security configuration options and would benefit any organization balancing strict IP policies with GitHub Actions usage.

Thank you for considering this suggestion!

---

Status: Feature Request
Impact: Organizations using IP filtering with GitHub Actions

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐