Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shopify IP allowlist restricting access to non-sensitive resource? #477

Closed
samsm opened this issue Feb 5, 2024 · 3 comments
Closed

Shopify IP allowlist restricting access to non-sensitive resource? #477

samsm opened this issue Feb 5, 2024 · 3 comments

Comments

@samsm
Copy link

samsm commented Feb 5, 2024
edited

Summary

Ok, so this might be an unusual issue. As I understand it, the issue is not with the code of bootsnap, but settings that Shopify uses for its github organization that limit where api calls can come from.

When requesting bootsnap tags using Github api from a Github action we get an error based on IP allowlisting.

Expected Behavior

We have a Github action-triggered script that looks at bundle updates and performs a "diff" between the version the application is currently running and the new version. In the course of this, we request tags from Github in an attempt to link gem changes with repo changes.

In the case of bootsnap it looks like: GET https://api.github.com/repos/Shopify/bootsnap/tags.

For most Github repos this works fine and we are able to detect/infer git tags that match gem versions.

Actual behavior

For bootsnap, when requesting tag data, we get:

403 - Although you appear to have the correct authorization credentials, 
the Shopify organization has an IP allow list enabled, and your IP address 
is not permitted to access this resource.

Since bootsnap is a public project, I was wondering if this restriction could be amended or lifted.

Thanks for reading! Let me know if you have any questions or such.
@casperisfine
Copy link
Contributor

Yes, that is a known issue with GitHub IP allow lists and is a PITA not just for outside contributors but alos Shopify employees.

Unfortunately, even though I would love disabling it, that's not something I can do... So I'll add your complaint to the very long list...

That said, this allow list should only impact users that are members of the Shopify organization or have specific permissions on one of the Shopify org repos. So not sure why it's impacting your GitHub Actions, might be worth contacting GitHub support.

@casperisfine casperisfine closed this as not planned Won't fix, can't repro, duplicate, stale Feb 5, 2024
@samsm
Copy link
Author

samsm commented Feb 5, 2024
edited

@casperisfine Thanks for the info!

I'll think about that last paragraph, I'm fairly sure the github user we use for fetching that data doesn't have any special Shopify permissions, but that's something I can experiment with.

@casperisfine
Copy link
Contributor

As a shitty workaround, I can suggest not authenticating at all when querying Shopify repos, if it keeps failing, then that's on GitHub for sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@samsm @casperisfine