IP allow list blocks authenticated non-member users from accessing public repository resources

[knqyf263]

🏷️ Discussion Type

Question

Body

Question

When an organization enables an IP allow list, authenticated API requests to public repositories from users who are not members of the organization are blocked with HTTP 403, while the same requests succeed anonymously.

Is this the intended behavior?

Details

The documentation states that IP allow lists protect "public resources, when a user is signed into GitHub."

Public resources, when a user is signed into GitHub (including non-interactive authentication methods such as:

Does this means any authenticated user worldwide — even those with no relationship to the organization — is blocked from accessing public resources if their IP address is not on the allow list?

This creates a situation where authenticating reduces access to public resources:

# Authenticated (non-member, IP not on allow list) → 403
gh api repos/<org>/<public-repo>/git/ref/tags/<tag>

# Anonymous → 200
curl https://api.github.com/repos/<org>/<public-repo>/git/ref/tags/<tag>

Impact

This affects a large number of users, since tools like the GitHub CLI (gh) automatically send authentication credentials. For example, gh release verify — GitHub's own command for verifying release integrity — fails against public repositories of organizations with IP allow lists enabled.

As a result, one GitHub security feature (IP allow list) breaks another (release verification via immutable releases) for all external users.

Feature request

If this is the intended behavior, I would like to request that the IP allow list be scoped to organization members and collaborators only, rather than applying to all authenticated users. Blocking non-member users from accessing public resources provides no security benefit to the organization and has significant negative side effects for the broader community.

[IrtezaAsadRizvi]

@knqyf263, This appears to be intended behavior under the current product rules, based on the docs, not an official GitHub statement.

GitHub’s organization IP allow list docs say the policy covers public resources when the requester is signed in, and that the same public resources are not restricted when accessed anonymously. gh api is also documented as always making an authenticated request. So the 403 for authenticated non-members and 200 for anonymous curl is consistent with the current documented behavior.

I’d also say the feature request is reasonable. Even if it’s intentional, it���s a poor outcome for public-read workflows like gh release verify. The better behavior would be to scope the restriction to org-affiliated identities or non-public resources, not to all authenticated reads of public repos.

Sources:
https://github.com/orgs/community/discussions/191185
https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization
https://cli.github.com/manual/gh_api

[knqyf263]

Yes, that's exactly what I wanted to ask. Thanks for summarizing.