Allowed hosts for Github Action Summaries

[ch4rms]

Select Topic Area

Question

Body

With regards to https://github.blog/changelog/2023-01-31-github-actions-job-summary-updates/
And having to add the allowed hosts:

actions-results-receiver-production.githubapp.com
productionresultssa*.blob.core.windows.net

We have our own caching mechanisms in place to keep our data off the blob.core.windows.net domain, and therefore have it blocked.

Q: Is there a known set of productionresultssa*.blob.core.windows.net domains?

We can only wildcard allow domains at a subdomain level (*.blob.core.windows.net) and not as a wildcard in the middle of the host name.
Ideally the domains would be something like sa1.productionresults.blob.core.windows.net so that we could allow .productionresults.blob.core.windows.net, but I would settle for knowing the full set of domains if possible.

[jge162]

there is no publicly available list of all productionresultssa*.blob.core.windows.net domains. If you need to allow these domains for GitHub Actions, you may need to work with GitHub Support to find an alternative solution. Choose other.

[ch4rms]

Thanks, I will put in a ticket with support to see what the options are (or if there are any).

[Idan-Lazar]

Thanks, I will put in a ticket with support to see what the options are (or if there are any).
@ch4rms
Do you have any solution?

[JasonYeMSFT]

It's 2026 now and I think this missing capability deserves more attention. GitHub now has the thing called Agentic Workflow which shares a similar firewall configuration. Our experiments using Agentic Workflow with the built-in actions_get MCP tool indicates the tool can discover the productionresultssa*.blob.core.windows.net download url to get Action run artifacts and attempt to do so. Such attempts all get blocked by the default firewall rules.

We don't want to allow access to arbitrary storage accounts. This can lead to prompt injection attacks. Even if we have the ability to grant access to all productionresultssa*.blob.core.windows.net storage accounts, we also cannot trust all storage accounts with that name pattern. I just created a storage account named "productionresultssa9991", indicating not all such storage accounts are reserved by GitHub. We need a secure way to allow Agentic Workflow Actions to access GitHub Actions run artifacts.

[nickodell]

Q: Is there a known set of productionresultssa*.blob.core.windows.net domains?

Hello, this information can be fetched from the GitHub API.

The comment here explains how.

Specifically, the API https://api.github.com/meta can be used. Fetch this API, and get the domains.actions key. Here is a Python example.

import requests
data = requests.get('https://api.github.com/meta').json()
actions_domains = data['domains']['actions']
print("domains")
for domain in actions_domains:
    print(domain)

At the moment, this has the following output:

domains
*.actions.githubusercontent.com
productionresultssa0.blob.core.windows.net
productionresultssa1.blob.core.windows.net
productionresultssa2.blob.core.windows.net
productionresultssa3.blob.core.windows.net
productionresultssa4.blob.core.windows.net
productionresultssa5.blob.core.windows.net
productionresultssa6.blob.core.windows.net
productionresultssa7.blob.core.windows.net
productionresultssa8.blob.core.windows.net
productionresultssa9.blob.core.windows.net
productionresultssa10.blob.core.windows.net
productionresultssa11.blob.core.windows.net
productionresultssa12.blob.core.windows.net
productionresultssa13.blob.core.windows.net
productionresultssa14.blob.core.windows.net
productionresultssa15.blob.core.windows.net
productionresultssa16.blob.core.windows.net
productionresultssa17.blob.core.windows.net
productionresultssa18.blob.core.windows.net
productionresultssa19.blob.core.windows.net
mpsghub.actions.githubusercontent.com
pipelinesghubeus1.actions.githubusercontent.com
pipelinesghubeus10.actions.githubusercontent.com
pipelinesghubeus11.actions.githubusercontent.com
pipelinesghubeus12.actions.githubusercontent.com
pipelinesghubeus13.actions.githubusercontent.com
pipelinesghubeus14.actions.githubusercontent.com
pipelinesghubeus15.actions.githubusercontent.com
pipelinesghubeus2.actions.githubusercontent.com
pipelinesghubeus20.actions.githubusercontent.com
pipelinesghubeus21.actions.githubusercontent.com
pipelinesghubeus22.actions.githubusercontent.com
pipelinesghubeus23.actions.githubusercontent.com
pipelinesghubeus24.actions.githubusercontent.com
pipelinesghubeus25.actions.githubusercontent.com
pipelinesghubeus26.actions.githubusercontent.com
pipelinesghubeus3.actions.githubusercontent.com
pipelinesghubeus4.actions.githubusercontent.com
pipelinesghubeus5.actions.githubusercontent.com
pipelinesghubeus6.actions.githubusercontent.com
pipelinesghubeus7.actions.githubusercontent.com
pipelinesghubeus8.actions.githubusercontent.com
pipelinesghubeus9.actions.githubusercontent.com
pipelinesproxcnc1.actions.githubusercontent.com
pipelinesproxcus1.actions.githubusercontent.com
pipelinesproxeau1.actions.githubusercontent.com
pipelinesproxsdc1.actions.githubusercontent.com
pipelinesproxweu1.actions.githubusercontent.com
pipelinesproxwus31.actions.githubusercontent.com
runnerghubeus1.actions.githubusercontent.com
runnerghubeus20.actions.githubusercontent.com
runnerghubeus21.actions.githubusercontent.com
runnerghubwus31.actions.githubusercontent.com
runnerproxcnc1.actions.githubusercontent.com
runnerproxcus1.actions.githubusercontent.com
runnerproxeau1.actions.githubusercontent.com
runnerproxsdc1.actions.githubusercontent.com
runnerproxweu1.actions.githubusercontent.com
tokenghub.actions.githubusercontent.com

Apparently they are using productionresultssaX with X between 0 and 19.

Official docs here: https://docs.github.com/en/rest/meta/meta?apiVersion=2026-03-10#get-github-meta-information

cc: @JasonYeMSFT