OpenID Connect (OIDC) support in GitHub Actions enables secure cloud deployments using short-lived tokens that are automatically rotated for each deployment.
Each OIDC token includes standard claims like the audience, issuer, subject and many more custom claims that uniquely define the workflow job that generated the token. These claims can be used to define fine grained trust policies to control the access to specific cloud roles and resources.
- We now support more custom claims within the token :
job_workflow_sha– to help uniquely verify the source of a workflow job, even if the job references a reusable workflow.
- We are also adding these new attributes as default environment variables and also to github context
These changes enable developers to define more advanced access policies using OpenID connect and do more secure cloud deployments at scale with GitHub Actions.
Learn more about Security hardening your GitHub Workflows using OpenID Connect.