GitHub Actions OIDC Token
Service Name: GitHub Actions
Service Description: GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline directly from GitHub. It enables workflows to be triggered by various GitHub events and provides secure token-based authentication to cloud services.
Service Address: https://github.com/features/actions
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the organization or repository level through GitHub's IP allow list feature, but not directly on the OIDC token itself.
Secret Access Scope: Grants temporary, federated access to cloud resources (AWS, Azure, GCP) from GitHub Actions workflows without storing long-lived credentials.
Secret Revokement URL: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#revoking-access-to-the-cloud
Secret Example: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6IkpIWFhGMGpITXJ5eUZDWDdVOFRUSE1rY090cyJ9.eyJqdGkiOiJkOTg0YWE1My0xYzQxLTQ4N2ItOGI5Ni0wNjBmMTI1MmJjZjgiLCJzdWIiOiJyZXBvOnVzZXIvb3JnL3JlcG86cmVmOnJlZnMvaGVhZHMvbWFpbiIsImF1ZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS91c2VyL29yZy9yZXBvIiwiaXNzIjoiaHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbSIsIm5iZiI6MTY0MzIyNzAyMCwiZXhwIjoxNjQzMjI3OTIwLCJpYXQiOjE2NDMyMjcwMjB9.signature
Suspicious Activity Investigation Instructions:
- Review GitHub Actions workflow run logs for unauthorized or unexpected workflow executions.
- Check cloud provider audit logs for resource access using OIDC federation.
- Verify the claims in the OIDC token match expected repository, workflow, and branch patterns
- Examine the audience claim to ensure it matches your configured trust policy.
- Monitor for unusual access patterns or access from unexpected workflows.
Mitigation Instructions:
- Update trust policies in your cloud provider to restrict which repositories, branches, or environments can access resources.
- Add more specific conditions to your cloud provider's trust configuration (e.g., require specific repository, environment, or ref patterns).
- Implement stricter subject filters in your OIDC trust configuration.
- Rotate any compromised cloud resources or permissions.
- Consider implementing branch protection rules to prevent unauthorized code changes that could exploit OIDC tokens.
- Enable required reviewers for workflow files to prevent malicious modifications.