Never receive 403 Forbidden from Cloudflare again.
Requests from GitHub Action servers to a Cloudflare proxied host may be blocked by Cloudflare's Web Application Firewall(WAF) or Bot Fight Mode. This action automatically adds the public IP of the GitHub Action runner to Cloudflare's firewall IP Access rules.
- Automatically retrieves the public IP of the GitHub Action runner.
- Adds the runner's IP to Cloudflare's firewall access rules.
- Waits for the IP to appear in Cloudflare's access rules.
- Cleans up by removing the IP from Cloudflare's access rules after the job is complete.
Input | Description | Required |
---|---|---|
cf_zone_id |
Cloudflare Zone ID | true |
cf_api_token |
Cloudflare API Token | true |
Output | Description |
---|---|
rule_id |
The ID of the created access rule |
To use this action, create a workflow in your repository's .github/workflows
directory. Below is an example workflow file:
name: Bypass Cloudflare for API Access
on: [push]
jobs:
manage-ip-whitelist:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Bypass Cloudflare for GitHub Action
uses: xiaotianxt/[email protected]
with:
cf_zone_id: ${{ secrets.CF_ZONE_ID }}
cf_api_token: ${{ secrets.CF_API_TOKEN }}
- name: Send request to Cloudflare-protected server
run: curl https://example.com/api
This action requires a Cloudflare API Token, not the Global API Key. To create an API token:
- Log in to the Cloudflare dashboard.
- Go to "My Profile" > "API Tokens".
- Click "Create Token".
- Use the "Edit zone DNS" template or create a custom token with the following permissions:
- Zone > Firewall Services > Edit
- Zone > DNS > Edit (if needed)
- Set the token to access the specific zone you're working with.
- Create the token and save it securely.
Remember to add your Cloudflare Zone ID and the new API Token to your GitHub repository secrets as CF_ZONE_ID
and CF_API_TOKEN
respectively.