GitHub Actions – Update on OIDC integration with AWS

We have received customers reporting errors with Actions’ OIDC integration with AWS.
This happens for customers who are pinned to a single intermediary thumbprint from the Certificate Authority (CA) of the Actions SSL certificate.

There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by our servers, requiring customers to trust both. This is a known behavior when the intermediary certificates are cross-signed by the CA.

Customers experiencing issues authenticating via OIDC with AWS should configure both thumbprints to be trusted in the AWS portal.
The two known intermediary thumbprints at this time are:

  • 6938fd4d98bab03faadb97b34396831e3780aea1
  • 1c58a3a8518e8759bf075b76b750d4f2df264fcd

Learn more about using OIDC with GitHub Actions.

Repository Rules public beta updates

We are introducing a number of enhancements, bug fixes and a breaking API change to repository rules.

1. UI Updates
* Added a repository picker to target select repositories for organization rulesets.
* Improvements to rule violations in the WebUI and git client.

2. Ruleset Bypass updates

  • Bypass can be limited to pull request exemptions only.
  • Single UI for bypass, collapsing bypass mode, and bypass list into one experience.
  • Support for using repository roles as a bypass type
  • Integrations (bots/apps) are now bypassable at the org.

3. API Enhancements

  • Add fields for created and updated date
  • Permission changes so all repo contributors can query the API for relevant rules enforced on branches.

4. Bug fixes

  • Linear merge history could block bypass
  • Branches could not always be created when using commit metadata rules
  • Tag protections were failing for apps

5. API Changes

  • GraphQL changes will be delayed by 24-72 hours.
  • Breaking Change Remove bypass_mode from the Ruleset object and input
  • Breaking Change Add bypass_mode as a required field for bypass actors to indicate if an actor can “always” bypass a ruleset or can only bypass for a “pull_request”
  • Breaking Change for GraphQL Change bypass_actor_ids to a new bypass_actors object on the create and update mutations that can accept repository roles and organization admins
  • Add repository_role_database_id, repository_role_name, and organization_admin fields to RepositoryRulesetBypassActor to indicate when the bypass actor is a role or org admin bypass
  • “get rules for a branch” REST API endpoint now returns ruleset source info for each rule.
  • “get a repo ruleset” REST API endpoint now has a current_user_can_bypass field that indicates whether the user making the request can bypass the ruleset.
  • source field for rulesets returned via the REST API will now properly contain the repo in owner/name syntax when the ruleset is configured on a repository, rather than just the repository’s name.

We want to hear from you on how we can improve repository rules! Join the conversation in the repository rules public beta discussion.

See more
View all changes