GitHub: Actions OpenID Connect (OIDC)
OpenID Connect enable the actions or workflows to get short lived tokens from cloud providers. This eliminate the need for hardcoded tokens saved as secrets in GitHub or in an external key vault. Moreover, it address the token rotation requirements or handling token expiry issues. Currently, GitHub actions supports the OIDC with AWS, Azure, Google and HashiCorp Vault.
OIDC trust have mainly audience and subject identifier. Audience defines the Idp provider who issues the tokens. Whereas subject or sub defines the scope of the GitHub conditions.
Subject identifier definition as part of the OpenID Connect in AWS supports wild cards like ‘*’ and partial condition like StringLike. For example, if you want to use the same OIDC for entire organization, you can define a sub as
"Condition": {
"StringLike": {
--------------------------
"token.actions.githubusercontent.com:sub": "repo:{orgname}/*"
}
}
If it is for a particular repository in an organization, you can define it as
"repo:{orgname}/{reponame}:*"
Please refer AWS OpenID Connect documentation for more details on subject claim formation.
OpenID Connect in Azure will not support the partial matching or wildcards. For defining a consistent OIDC subject claim for Azure OIDC, one can use the GitHub APIs. I have published a new custom action to GitHub Marketplace to address the need for custom OIDC subject claim at organization and repository level.
Actions Custom OIDC Claim action supports the enforcement of custom OIDC subject claim at repository and organization level. Moreover, this action can be used to revert back to the default subject claim.