Problem/Motivation

Via @mxr576 in Slack:

Since Friday my builds on Drupal Dependency Quality Gate are failing due to HTTP 403 - I did not know that is a possible HTTP code on that endpoint.

Next RuntimeException: Failed to fetch project information for "3545283". Reason: "Client error: `GET https://updates.drupal.org/release-history/3545283/current` resulted in a `403 Forbidden` response:
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initia (truncated...)
". in /home/runner/work/ddqg/ddqg/src/Infrastructure/DrupalOrg/UpdateStatusApi/DrupalUpdateStatusApiUsingGuzzleRepository.php:173

https://github.com/mxr576/ddqg/actions/runs/22558994249/job/65341631459


Also reported to the security team from @arnested:

We monitor for security updates by fetching
https://updates.drupal.org/release-history/drupal/all from GitHub Actions.

Since February 28 we have been getting 403 errors when trying to get the URL in GitHub Actions (but not from other locations).

Have GitHub's IP addresses been put on a deny list or something?

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Comments

longwave created an issue. See original summary.

mxr576’s picture

Issue summary: View changes
mxr576’s picture

I have also managed to reproduce the HTTP 403 on my local. Now I am trying to get the complete HTTP response if that helps with further debugging.

xem8vfdh’s picture

Same here for all of my modules/packages. I'm getting 503s

eluchel’s picture

Same here for my modules/core. When I check for updates manually I will either fail to get update data for everything (503 errors), or only for a few of my modules.

Edit: it is fixed for me now

mxr576’s picture

403 is PerimeterX, just as I thought

https://github.com/mxr576/ddqg/actions/runs/22586865524/job/65434081489#...

Next RuntimeException: Failed to fetch project information for "3545283". Reason: "Client error: `GET https://updates.drupal.org/3545283/current` resulted in a `403 Forbidden` response:
{
    "Connection": [
        "keep-alive"
    ],
    "Content-Length": [
        "3293"
    ],
    "Server": [
        "Varnish"
    ],
    "Retry-After": [
        "0"
    ],
    "Content-Type": [
        "text\/html"
    ],
    "Access-Control-Allow-Origin": [
        "https:\/\/www.drupal.org"
    ],
    "Accept-Ranges": [
        "bytes"
    ],
    "Via": [
        "1.1 varnish, 1.1 varnish"
    ],
    "Set-Cookie": [
        "_pxhd=Sg\/PWXys0mrDxv8eWqL-jUTMZzmbJJGVOMTbITqhTUCDb3e7kP2FZpDrbGLhVC4YojyrbCs-tW2VQigeeMK70Q==:5NElVETh9MMYOLtAmgwYLZkxwf3AeEAJrpa-gKg486P6FZrHrBDCoE3BA2WO4iw2A3lc6pgCpP6zENLOEL9EbxcvyL9nEnWtZiM9eJNs2wU=; Expires=Tue, 02 Mar 2027 17:35:39 GMT; path=\/;"
    ],
    "Date": [
        "Mon, 02 Mar 2026 17:35:39 GMT"
    ],
    "X-Served-By": [
        "cache-bfi-kbfi7400112-BFI, cache-chi-kigq8000050-CHI"
    ],
    "X-Cache": [
        "MISS, MISS"
    ],
    "X-Cache-Hits": [
        "0, 0"
    ],
    "X-Timer": [
        "S1772472940.661018,VS0,VE90"
    ],
    "Permissions-Policy": [
        "interest-cohort=()"
    ]
}
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Access to this page has been denied.</title> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300" rel="stylesheet"> <style> html, body { margin: 0; padding: 0; font-family: 'Open Sans', sans-serif; color: #000; } a { color: #c5c5c5; text-decoration: none; } .container { align-items: center; display: flex; flex: 1; justify-content: space-between; flex-direction: column; height: 100%; } .container > div { width: 100%; display: flex; justify-content: center; } .container > div > div { display: flex; width: 80%; } .customer-logo-wrapper { padding-top: 2rem; flex-grow: 0; background-color: #fff; visibility: visible; } .customer-logo { border-bottom: 1px solid #000; } .customer-logo > img { padding-bottom: 1rem; max-height: 50px; max-width: 100%; } .page-title-wrapper { flex-grow: 2; } .page-title { flex-direction: column-reverse; } .content-wrapper { flex-grow: 5; } .content { flex-direction: column; } .page-footer-wrapper { align-items: center; flex-grow: 0.2; background-color: #000; color: #c5c5c5; font-size: 70%; } @media (min-width: 768px) { html, body { height: 100%; } } </style> <!-- Custom CSS -->  </head> <body> <section class="container"> <div class="customer-logo-wrapper"> <div class="customer-logo"> <img src="https://www.drupal.org/files/drupal_logo-blue.png" alt="Logo"/> </div> </div> <div class="page-title-wrapper"> <div class="page-title"> <h1>Access to this page has been denied.</h1> </div> </div> <div class="content-wrapper"> <div class="content"> <div id="px-captcha"> </div> <p> You have been blocked because we believe you are using automation tools to browse the website. </p> <p> This may happen as a result of the following: </p> <ul> <li> Javascript is disabled or blocked by an extension (ad blockers for example) </li> <li> Your browser does not support cookies </li> </ul> <p>  If you think you have been blocked by mistake, please contact help@drupal.org with the reference ID below. </p> <p> Reference ID: #3af2c1bb-165e-11f1-a53b-92fb6787fb7c </p> </div> </div> <div class="page-footer-wrapper"> <div class="page-footer"> <p> Powered by <a href="https://www.perimeterx.com/whywasiblocked">PerimeterX</a> , Inc. </p> </div> </div> </section> <!-- Px --> <script> window._pxAppId = 'PXVnPBBfwe'; window._pxJsClientSrc = '/VnPBBfwe/init.js'; window._pxFirstPartyEnabled = true; window._pxVid = ''; window._pxUuid = '3af2c1bb-165e-11f1-a53b-92fb6787fb7c'; window._pxHostUrl = '/VnPBBfwe/xhr'; </script> <script> var s = document.createElement('script'); s.src = '/VnPBBfwe/captcha/captcha.js?a=c&u=3af2c1bb-165e-11f1-a53b-92fb6787fb7c&v=&m=0'; var p = document.getElementsByTagName('head')[0]; p.insertBefore(s, null); if (true ){s.onerror = function () {s = document.createElement('script'); var suffixIndex = '/VnPBBfwe/captcha/captcha.js?a=c&u=3af2c1bb-165e-11f1-a53b-92fb6787fb7c&v=&m=0'.indexOf('/captcha.js'); var temperedBlockScript = '/VnPBBfwe/captcha/captcha.js?a=c&u=3af2c1bb-165e-11f1-a53b-92fb6787fb7c&v=&m=0'.substring(suffixIndex); s.src = '//captcha.px-cdn.net/PXVnPBBfwe' + temperedBlockScript; p.parentNode.insertBefore(s, p);};}</script> <!-- Custom Script -->  </body> </html>
drumm’s picture

Assigned: Unassigned » drumm
Status: Active » Fixed

We spotted a couple misconfigurations that were causing this issue and should be resolved now.

I attempted to simplify part of the CDN configuration leftover from years ago. This resulted in some updates.drupal.org traffic actually being handled by the general *.drupal.org service. updates.drupal.org does not have PerimeterX set up at all, but if its routing via *.drupal.org’s configuration, that would add it.

We also spotted that another bot protection product had been enabled, that is now off again.

updates.drupal.org has a 99.99% cache hit rate, so the underlying issue was masked until people started pushing code to git.drupalcode.org on Monday. The request to https://updates.drupal.org/release-history/3545283/current also didn’t trigger any concern because numeric project names are sandboxes, that never have release history.

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

mxr576’s picture

Thanks, CDN related to be working, however, I must say the project behind https://updates.drupal.org/release-history/3545283/current seems like an interesting one, indeed, it has a numerical ID, but from its project page does not look like a sandbox project, and https://www.drupal.org/api-d7/node.json?nid=3545283 also returns field_project_type: true.

arnested’s picture

Thank you.

I can confirm our GitHub Actions are getting access again.

Kind regards
Arne

avpaderno’s picture

@mxr576 It is a full project, but it does not have releases. There is a branch, for which a tag has been created, but no releases.

mxr576’s picture

Agreed, my reaction was challenged this previous sentence:

The request to https://updates.drupal.org/release-history/3545283/current also didn’t trigger any concern because numeric project names are sandboxes,

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.