Configuring Permissions in the Workflow YAML

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

To update your GitHub Actions workflows for OIDC, you will need to add permissions settings for the token.

A GitHub Actions job or workflow run requires a permissions setting with id-token: write to allow an OIDC provider to create a JSON Web Token for every run. You will not be permitted to request the OIDC JWT ID token if the permissions for id-token is not set to write.

This setting enables the workflow to fetch and set the OIDC token for an action or step to enable authenticating with a short-lived access token. The actual trust setting is defined using OIDC claims. For more information about how to define these claims, see "About security hardening with OpenID Connect."

The id-token: write setting allows the JWT to be requested from GitHub's OIDC provider.

Add the following code to your GitHub Actions Workflow YAML:

permissions:
  id-token: write # This is required for requesting the JWT