Unable to configure Trusted Publishing for Github with IP Allow List enabled

[gz]

Current Behavior

When trying to configure Trusted Publishing for a crate that is in a repo which is behind a Github IP allow lists I get the following error on crates.io

• As a workaround, the IP whitelisting can be temporarily disabled to complete the setup step on crates.io but it's not ideal obviously (publishing afterwards works even with allowlists enabled)
• As a reference PyPi is able configure the same thing just fine while github IP allowlist is enabled
• I tried whitelisting the crates.io IPs that I got from dig but it didn't work (maybe you could publish the IP's you're using to do any verification in this step as part of your docs or set it directly in the github crates.io app because there is an option in github to accept advertised IP ranges from apps)

crates.io.		26	IN	A	18.239.199.51
crates.io.		26	IN	A	18.239.199.105
crates.io.		26	IN	A	18.239.199.106
crates.io.		26	IN	A	18.239.199.91

Expected Behavior

Expected behavior would be that I can configure this in crates.io without the error while IP allowlist is enabled

Steps To Reproduce

No response

Environment

• Browser:
• OS:

Anything else?

No response

[Turbo87]

As a reference PyPi is able configure the same thing just fine while github IP allowlist is enabled

I honestly have no idea why that is, because our implementation is doing almost the exact same thing as theirs. Are the PyPI IP addresses already whitelisted by your company?

I tried whitelisting the crates.io IPs that I got from dig but it didn't work

The IP addresses that you see there are our public IP endpoints from the CDN in front of our servers. The requests to GitHub would come from our actual server IP addresses though. Due to how we run our servers these IP addresses are not static though, so I don't know how to give you anything that you could put into such a whitelist. 🤔

[gz]

Are the PyPI IP addresses already whitelisted by your company?

No I didn't have to whitelist anything for PyPi

[Turbo87]

I've converted this issue to a feature request now since the feature itself is working as intended and support for IP whitelisting is an additional feature on top. Once this becomes actionable we can always convert it back to an issue.