Skip to content

GitHub Actions OIDC Token

Service Name: GitHub Actions

Service Description: GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline directly from GitHub. It enables workflows to be triggered by various GitHub events and provides secure token-based authentication to cloud services.

Service Address: https://github.com/features/actions

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization or repository level through GitHub's IP allow list feature, but not directly on the OIDC token itself.

Secret Access Scope: Grants temporary, federated access to cloud resources (AWS, Azure, GCP) from GitHub Actions workflows without storing long-lived credentials.

Secret Revokement URL: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#revoking-access-to-the-cloud

Secret Example: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6IkpIWFhGMGpITXJ5eUZDWDdVOFRUSE1rY090cyJ9.eyJqdGkiOiJkOTg0YWE1My0xYzQxLTQ4N2ItOGI5Ni0wNjBmMTI1MmJjZjgiLCJzdWIiOiJyZXBvOnVzZXIvb3JnL3JlcG86cmVmOnJlZnMvaGVhZHMvbWFpbiIsImF1ZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS91c2VyL29yZy9yZXBvIiwiaXNzIjoiaHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbSIsIm5iZiI6MTY0MzIyNzAyMCwiZXhwIjoxNjQzMjI3OTIwLCJpYXQiOjE2NDMyMjcwMjB9.signature

Suspicious Activity Investigation Instructions:

  • Review GitHub Actions workflow run logs for unauthorized or unexpected workflow executions.
  • Check cloud provider audit logs for resource access using OIDC federation.
  • Verify the claims in the OIDC token match expected repository, workflow, and branch patterns
  • Examine the audience claim to ensure it matches your configured trust policy.
  • Monitor for unusual access patterns or access from unexpected workflows.

Mitigation Instructions:

  • Update trust policies in your cloud provider to restrict which repositories, branches, or environments can access resources.
  • Add more specific conditions to your cloud provider's trust configuration (e.g., require specific repository, environment, or ref patterns).
  • Implement stricter subject filters in your OIDC trust configuration.
  • Rotate any compromised cloud resources or permissions.
  • Consider implementing branch protection rules to prevent unauthorized code changes that could exploit OIDC tokens.
  • Enable required reviewers for workflow files to prevent malicious modifications.