GitHub Actions: OpenID Connect token now supports more claims for configuring granular cloud access

OpenID Connect (OIDC) support in GitHub Actions enables secure cloud deployments using short-lived tokens that are automatically rotated for each deployment.
Each OIDC token includes standard claims like the audience, issuer, subject and many more custom claims that uniquely define the workflow job that generated the token. These claims can be used to define fine grained trust policies to control the access to specific cloud roles and resources.

  • We now support more custom claims within the token : actor_id, repository_id, repository_owner_id
    workflow_ref, workflow_sha and job_workflow_sha – to help uniquely verify the source of a workflow job, even if the job references a reusable workflow.
  • We are also adding these new attributes as default environment variables and also to github context

These changes enable developers to define more advanced access policies using OpenID connect and do more secure cloud deployments at scale with GitHub Actions.

Learn more about Security hardening your GitHub Workflows using OpenID Connect.

The GitHub Packages RubyGems registry now runs on a new architecture, unlocking great new capabilities:

Publishing packages at organization level with GitHub Packages

Previously, RubyGems packages published to GitHub Packages were closely coupled to their repositories. Now packages can be published at an organization level. They can still be linked to a repository at any time, if needed.

Learn more about connecting a repository to a package.

Fine grained permissions for RubyGems packages published to GitHub Packages

You can now configure Actions and Codespaces repository access on the package's settings page, or invite other users to access the package. Additionally, RubyGems packages published to GitHub Packages can still be configured to automatically inherit all permissions from a linked repository.

Learn more about configuring a package's access control.

Internal visibility

In addition to public and private, a package's visibility can now also be set to internal. It is then visible for all members of the GitHub organization.


These new features are now available to all users on github.com.

Read more about working with the GitHub RubyGems registry

We appreciate your feedback on these new changes in GitHub's public community discussions!

See more

GitHub Enterprise Cloud admins can now display critical announcements to members of their enterprise or specific organizations. GitHub Enterprise Server already has this capability.

With this enhancement, Enterprise Cloud admins can display a critical message on all pages of their enterprise or in specific organizations. For example, you could announce a release cutoff date or an upcoming permission change. Announcements are displayed at the tops of pages as shown here:

An image showing how an announcement message appears on GitHub

To publish an announcement, you must be an enterprise owner or organization owner. Open your enterprise or organization settings and select Announcement. Enter your announcement message, an optional expiration when the announcement should be automatically unpublished, and select whether to allow users to dismiss the announcement when they see it. Click Publish announcement to publish it.

An image showing configuration of an announcement

For the best user experience, we recommend publishing only critical announcements and keeping the message brief to occupy less display space on each page. Link the message to a discussion for more context, guidance, and optional conversation. For non-critical messages or extended announcements, use a discussion instead.

For more details, see Customizing user messages for your enterprise in the GitHub Enterprise Cloud documentation.

See more