Never receive 403 Forbidden from Cloudflare again.
Inspired by xiaotianxt/bypass-cloudflare-for-github-action
Requests from GitHub Action servers to a Cloudflare proxied host may be blocked by Cloudflare's Web Application Firewall(WAF) or Super Bot Fight Mode . This action automatically adds the public IP of the GitHub Action runner to Cloudflare's firewall Custom rules or Lists
- Automatically retrieves the public IP of the GitHub Action runner.
- Adds the runner's IP to Cloudflare's firewall custom rules.
- Adds the runner's IP to Cloudflare's account list.
- Cleans up by removing the IP from Cloudflare's firewall custom rules after the job is complete.
- Cleans up by removing the IP from Cloudflare's account list after the job is complete.
| Input | Description | Required | Default |
|---|---|---|---|
mode |
single/list/github | false | github |
cf_zone_id |
Cloudflare Zone ID | true | / |
cf_api_token |
Cloudflare API Token | true | / |
cf_account_id |
Cloudflare Account ID | true | / |
github_api_token |
Github API Token | true | / |
single_rule_description |
Rule Description For Mode Single | false | Bypass Cloudflare for GitHub Action (Single) |
list_rule_description |
Rule Description For Mode List | false | Bypass Cloudflare for GitHub Action (List) |
list_name |
List name | false | github_actions_runners |
clean |
Caution: It will remove your zone ruleset rule and your list | false | false |
| Output | Description |
|---|---|
time |
Time when finished. |
To use this action, create a workflow in your repository's .github/workflows
directory. Below is an example workflow file:
name: Bypass Cloudflare for Github Action Pro
on: [push]
jobs:
bypass-cloudflare-for-github-action-pro:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.1
- name: Bypass Cloudflare for Github Action Pro
uses: snowdreamtech/bypass-cloudflare-for-github-action@v0.0.3
with:
mode: 'github'
cf_account_id: ${{ secrets.CF_ACCOUNT_ID }}
cf_api_token: ${{ secrets.CF_API_TOKEN }}
cf_zone_id: ${{ secrets.CF_ZONE_ID }}
github_api_token: ${{ secrets.GITHUB_TOKEN }}
- name: Send request to Cloudflare-protected server
run: curl https://example.com/apiThis action requires a Cloudflare API Token, not the Global API Key. To create an API token:
- Log in to the Cloudflare dashboard.
- Go to "My Profile" > "API Tokens".
- Click "Create Token".
- Create a custom token with the following permissions:
- Account > Account Filter > Edit
- Zone > Zone WAF > Edit
- Zone > Zone Settings > Edit
- Zone > Zone > Edit
- Set the token to access the specific account you're working with.
- Set the token to access the specific zone you're working with.
- Create the token and save it securely.
Remember to add your Cloudflare Account ID, Cloudflare Zone ID and the new API
Token to your GitHub repository secrets as CF_ACCOUNT_ID, CF_ZONE_ID and
CF_API_TOKEN respectively.
At the start of each workflow job, GitHub automatically creates a unique
GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to
authenticate in the workflow job.
Before each job begins, GitHub fetches an installation access token for the job.
The GITHUB_TOKEN expires when a job finishes or after a maximum of 24 hours.
The global rate limit for the Cloudflare API is 1200 requests per five minute period per user, and applies cumulatively regardless of whether the request is made via the dashboard, API key, or API token.
If you exceed this limit, all API calls for the next five minutes will be blocked, receiving a HTTP 429 - Too Many Requests response.