Webhook IP Allow-Listing
In addition to the webhook secret and signature check, Fenergo adds a second, network-level layer of protection: it only accepts webhook notifications that come from GitHub's own published IP addresses. Anything arriving from somewhere else is turned away before it ever reaches Fenergo's processing.
This is something Fenergo manages for you — there is nothing to configure on your side. This page explains what it does and why, so you know what to expect.
Why restrict by IP address
The webhook address is public, because GitHub needs to be able to reach it. To reduce the risk of unwanted traffic reaching that address, Fenergo follows GitHub's own recommendation and only allows notifications from the range of addresses GitHub uses to send webhooks. Requests from any other source are rejected immediately, without using any further processing.
This protects against things like automated scanners and probing attempts, by keeping them out at the very edge.
Two layers of protection
Automatic synchronization is protected by two independent layers that work together:
| Layer | What it checks | What it stops |
|---|---|---|
| Network | Is the request coming from one of GitHub's published addresses? | Traffic from any other source — it is rejected before reaching Fenergo. |
| Signature | Is the request correctly signed with your repository's webhook secret? | Any request that isn't genuinely from your repository. See Webhook Security. |
Neither layer on its own is enough, but together they give strong assurance that only genuine notifications from your GitHub repository are acted upon.
What this means for you
- Nothing to set up – Fenergo maintains the list of allowed GitHub addresses for you.
- Works with standard GitHub – if your webhook is configured normally in GitHub (see GitHub Setup), deliveries come from GitHub's own addresses and are allowed through.
- Be careful with intermediaries – if you route GitHub's traffic through a proxy or relay that changes where the request appears to come from, it may be blocked. Webhooks should be delivered directly from GitHub.
Keeping the list current
GitHub occasionally changes the addresses it sends webhooks from. Fenergo keeps its allowed list aligned with GitHub's published addresses so that legitimate deliveries continue to work. You don't need to track these changes yourself.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| GitHub reports deliveries are being refused at the network level | The notification isn't arriving from a recognised GitHub address (for example, it's being relayed through another service) | Make sure the webhook is delivered directly from GitHub, not through a proxy that changes its source. |
| Deliveries that used to work suddenly stop | GitHub may have changed its addresses | Contact Fenergo support so the allowed list can be confirmed and refreshed. |
| Notifications are accepted at the network level but still rejected | The webhook secret doesn't match | See Webhook Security and re-copy the secret from Webhook Info. |
FAQ
Does this replace the webhook secret? No. It's an additional layer. The webhook secret and signature check remains the main way Fenergo confirms a notification is genuinely from your repository.
Do I need to add GitHub's addresses anywhere? No. Fenergo manages the allowed addresses for you.
What happens to requests that aren't from GitHub? They are rejected at the network edge and never reach Fenergo's webhook processing.