Exclude one endpoint from Zero Trust Application authentication

Hi everyone, I’m struggling to find this particular thing - I’d like to have an application hidden behind the Zero Trust application with some kind of authentication (e.g. Github) with one specific endpoint exposed publicly.

In my case, we’re hosting an internal tool for developers. The tool itself doesn’t provide any way of authentication but basic auth. I’ve managed to set up a Zero Trust application that in fact requires logging in with Github, but I can’t see a way to disable this challenge for one endpoint, in our case it’s /events, an endpoint for receiving GitHub Webhooks. I’ve read the docs and I found that we can use Service Token to authenticate bots, but GitHub doesn’t provide any way to inject headers or cookies to webhook requests. Is there any way to exclude that endpoint?

I’ve figured it out - you can add a policy that will bypass the challenge for given IP Ranges. I’ve added IP ranges of the GitHub Webhooks service.