Action needed by GitHub Connect customers using GHES 3.1 and older to adopt new authentication token format updates
Upgrade to GHES 3.2 or newer by June 3rd to continue using GitHub Connect.
Continuous delivery workflows in GitHub Actions can deploy software, create and update cloud infrastructure, and use other services in a cloud provider, like Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), or HashiCorp.
As a part of our effort to make GitHub Actions easier and more secure, we are announcing general availability of GitHub Actions support for OpenID Connect (OIDC). Now that Actions supports OIDC, you can take a more secure cloud deployment approach by configuring your workflow to request a short-lived access token directly from the cloud provider. Many providers support OIDC, including AWS, Azure, GCP, and HashiCorp Vault.
Without OIDC, you would need to store a credential or token as an encrypted secret in GitHub and present that secret to the cloud provider every time it runs. The new OIDC support gives you a very clear separation of the configuration that you need to manage in GitHub and the permissions that you need to manage in the cloud portal, making cloud deployments simpler to set up and more secure.
No long-lived cloud secrets: You won’t need to add long-lived cloud credentials as GitHub secrets and worry about token expiry and rotating them. Instead, you can configure the OIDC trust on your cloud provider, and then update your workflows to request a short-lived access token from the cloud provider through OIDC.
Authentication and authorization management: You have more granular control over which workflows can access cloud resources by using your cloud provider’s authentication (authN) and authorization (authZ) tools.
Rotating credentials: With OIDC, your cloud provider issues a short-lived access token that is only valid for a single workflow job, and then automatically expires.
To make it easy to use OIDC to deploy, we have worked with popular cloud partners, like AWS, Azure, GCP, and HashiCorp to add OIDC support to their official login actions. Learn more about how you can secure your cloud deployments by using OIDC. Additionally, check out our GitHub Universe talk on Open ID Connect (OIDC) support in GitHub.