GitHub Actions

To validate GitHub Actions ID Tokens, add the github issuer to the server’s configuration.

config.yaml

issuers:
  github:
    issuer: https://token.actions.githubusercontent.com
    jwks_uri: https://token.actions.githubusercontent.com/.well-known/jwks

Export variables in a workflow

The GitHub Action ezoidc/actions/env can be used to export environment variables in a GitHub Actions workflow job.

.github/workflows/build.yml

jobs:
  build:
  permissions:
    id-token: write # required
  steps:
    - uses: ezoidc/actions/env@v1
      with:
        audience: https://test.ezoidc.dev
    - run: |
        echo $EZOIDC_WELCOME

Variables that have the redact property unset or set to true will be redacted in the GitHub Actions logs using the add-mask command.

Claims

policy.rego

claims.sub = "repo:owner/repo:ref:refs/heads/main"
claims.environment = "prod"
claims.repository = "owner/repo"
claims.ref = "refs/heads/main"
claims.actor = "octocat"
claims.workflow = "example-workflow"
claims.actor_id = "12"
claims.repository_visibility = "private"
claims.repository_id = "74"
claims.repository_owner_id = "65"
claims.run_id = "example-run-id"
claims.run_number = "10"
claims.run_attempt = "2"
claims.runner_environment = "github-hosted"
claims.event_name = "workflow_dispatch"
claims.ref_type = "branch"
claims.job_workflow_ref = "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main"
claims.iss = "https://token.actions.githubusercontent.com"

References

• GitHub Docs - Understanding the OIDC token
• GitHub Docs - Customizing the subject claims for an organization or repository