We have received customers reporting errors with Actions’ OIDC integration with AWS.
This happens for customers who are pinned to a single intermediary thumbprint from the Certificate Authority (CA) of the Actions SSL certificate.
There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by our servers, requiring customers to trust both. This is a known behavior when the intermediary certificates are cross-signed by the CA.
Customers experiencing issues authenticating via OIDC with AWS should configure both thumbprints to be trusted in the AWS portal.
The two known intermediary thumbprints at this time are:
Learn more about using OIDC with GitHub Actions.