Trust relations with GitHub Actions

Adding a trust relationship for GitHub Actions

To add a trust relationship for GitHub Actions, you can go through the following steps:

• Create a new tenent or use an existing one
• Click Add identity provider
• Use https://token.actions.githubusercontent.com as the provider URL
• Click Fetch fingerprint to fetch the fingerprint of the provider
• Set the audience that is used to generate the token
• Set the subject to repo:octo-org/octo-repo:ref:refs/heads/octo-branch. Replace the values with the actual repository details.
• Click Add identity provider

You can also use * as a wildcard operator in subject using the stringLike operator to allow any branch, pull request merge branch, or environment from the octo-org/octo-repo. For example, repo:octo-org/octo-repo:*.

Also, ensure your workflow sets the id-token: write permission to allow GitHub's OIDC provider to create a JSON Web Token for every run.

How to generate id-token in Github Actions

You can generate an ID token inside a workflow using the actions/toolkit package.

name: Generate ID token
 
permissions:
  id-token: write
 
jobs:
  generate-id-token:
    runs-on: ubuntu-latest
    steps:
      - name: Generate ID token
        uses: actions/github-script@v7
        with:
          result-encoding: string
          script: |
            // core is available globally
            const idToken = await core.getIDToken();
            console.log(idToken);

To get ID token with a custom audience, you can pass the audience as an argument to the core.getIDToken function.

import * as core from '@actions/core';
 
const idToken = await core.getIDToken('https://api.example.com');
console.log(idToken);

Refer to the core package for more details.