To update your GitHub Actions workflows for OIDC, you will need to add permissions settings for the token.
A GitHub Actions job or workflow run requires a permissions setting with id-token: write
to allow an OIDC provider to create a JSON Web Token for every run. You will not be permitted to request the OIDC JWT ID token if the permissions for id-token
is not set to write
.
This setting enables the workflow to fetch and set the OIDC token for an action or step to enable authenticating with a short-lived access token. The actual trust setting is defined using OIDC claims. For more information about how to define these claims, see "About security hardening with OpenID Connect."
The id-token: write
setting allows the JWT to be requested from GitHub's OIDC provider.
Add the following code to your GitHub Actions Workflow YAML:
permissions: id-token: write # This is required for requesting the JWT