Skip to content

fix: bot-serving monitor must target the Cloud Run origin (Cloudflare 403s runner IPs)#9619

Merged
MarkusNeusinger merged 1 commit into
mainfrom
fix/bot-monitor-origin
Jul 8, 2026
Merged

fix: bot-serving monitor must target the Cloud Run origin (Cloudflare 403s runner IPs)#9619
MarkusNeusinger merged 1 commit into
mainfrom
fix/bot-monitor-origin

Conversation

@MarkusNeusinger

Copy link
Copy Markdown
Owner

Summary

  • The first dispatched bot-serving-check.yml run failed with 403 on all four checks — including the human-UA control: Cloudflare's bot management blocks GitHub-runner (datacenter) IPs, and a UA-spoofed "Googlebot" only passes verified-bot checks when coming from real Google IPs. The monitor was structurally unable to run from Actions against the proxied domain.
  • Switch all checks to the Cloud Run origin (anyplot-app-…-ez.a.run.app) — exactly the layer that broke in the 2026-06/07 incident, so this is also the more precise probe. Cloudflare-edge issues are explicitly out of this monitor's reach (documented in the header comment).
  • Adds an llms.txt check (Googlebot UA must get the file, never a seo-proxy 404) — guards the exact-match nginx location from feat: spec-conformant llms.txt for AI agents #9618.

Verification

  • Dispatched run 28981172030 documented the failure mode (4× 403).
  • The updated script was dry-run against the live origin: 5/5 OK, exit 0.
  • After merge I will dispatch the workflow once — expected green.

Test plan

  • YAML valid; script dry-run against live origin passes 5/5
  • Post-merge workflow_dispatch run is green

The first dispatched run failed with 403 on all four checks including
the human-UA control: Cloudflare's bot management blocks GitHub-runner
(datacenter) IPs, and UA-spoofed Googlebot only passes verified-bot
checks from real Google IPs. The origin is exactly the layer that broke
in the 2026-06/07 incident, so checking it directly is also the more
precise probe. Adds an llms.txt check while here (must be served
directly, never proxied). Dry-run against the live origin: 5/5 OK.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 8, 2026 22:53

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes the structural limitation of the GitHub Actions “bot-serving” synthetic monitor by switching its probes from the Cloudflare-proxied domain (anyplot.ai) to the Cloud Run origin, avoiding Cloudflare bot-management 403s from GitHub-hosted runner IPs while still validating the exact serving layer implicated in the recent incident.

Changes:

  • Updated bot-serving-check.yml to target the Cloud Run origin for all UA checks and added an explicit /llms.txt probe.
  • Documented the rationale for origin-targeting (Cloudflare runner-IP blocking) directly in the workflow header comment.
  • Updated the changelog entry to reflect the new origin-based monitoring behavior and the added /llms.txt check.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
CHANGELOG.md Updates the [Unreleased] entry to reflect origin-targeted monitoring and the new llms.txt check.
.github/workflows/bot-serving-check.yml Switches curl targets to the Cloud Run origin and adds an /llms.txt validation check; documents why Cloudflare edge is out of scope.

@MarkusNeusinger MarkusNeusinger merged commit fe73285 into main Jul 8, 2026
8 checks passed
@MarkusNeusinger MarkusNeusinger deleted the fix/bot-monitor-origin branch July 8, 2026 22:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants