[GitHub Actions](https://docs.github.com/en/actions) is a great modern tool to automate software development. It could also be a great companion of code-related Wikimedia projects as it allows it integrate GitHub repos and wiki pages containing program code more closely. Unfortunately, there is an obstacle in the way of using GitHub Actions on wikis: the fact that Wikimedia wikis block everything that doesn't look like an end user IP (open proxies, hostings, etc.). Naturally, GitHub Actions' IP ranges are also blocked.
I see two ways out:
# Ask for an IP block exemption right.
# Use Toolforge as a proxy for GitHub Actions. This proxy may use SSH, so any unauthorized use is excluded.
1 would require asking for an exemption on each wiki that has the IPs blocked locally (a global exemption doesn't overwrite that). Not very convenient for a person who seeks to automate. Also, not very necessary as the person's normal IP doesn't need an exemption, only one task he performs does.
2 seems perfect as it is a general solution that many tool creators could use. But there is a problem — https://wikitech.wikimedia.org/wiki/Wikitech:Cloud_Services_Terms_of_use currently states in "Prohibited Uses":
> 5. **Using Wikimedia Cloud Services as a network proxy**: Do not use Wikimedia Cloud Services servers or projects to proxy or relay traffic for other servers. Examples of such activities include running Tor nodes, peer-to-peer network services, or VPNs to other networks. In other words, all network connections must originate from or terminate at Wikimedia Cloud Services.
So, using Toolforge as a proxy for GitHub Actions technically violates this rule, despite the fact that the proxy can be used only by a repository collaborator who is generally the tool maintainer, and what they do is directly wiki-related. All the examples given (//"Tor nodes, peer-to-peer network services, or VPNs"//) seem irrelevant to the mentioned use case, but still //"all network connections must originate from or terminate at Wikimedia Cloud Services"// — the network connection originates at GitHub and terminates at a wiki. Perhaps a script on Toolforge could perform some additional tasks and not just pass a request from GitHub to a wiki through itself, but in essence it would still be a proxy.
Maybe the rules are not complete and/or I'm misinterpreting the rules, so I ask for an explanation and/or adjustments made to them.