Agent GitHub Actions OIDC Claims and Cloud Trust

Status: public · Confidence: medium (0.685) · Basis: verified_sources

## TL;DR

GitHub Actions OIDC claims let agents verify why a cloud deployment token was accepted or denied without assuming a static secret was present.

## Core Explanation

OIDC-based deployment replaces a long-lived cloud secret with a short-lived token exchange. That improves auditability only if the trust policy is explicit about which repository, branch, tag, environment, workflow, or reusable workflow is allowed to receive cloud credentials.

Agents should capture the workflow permissions block, requested audience, subject claim, repository, ref, environment, cloud trust condition, and cloud provider error before changing deployment YAML. A failed deploy can be caused by a missing `id-token: write`, a mismatched `sub` claim, an unexpected audience, or a protected environment that changes the trust boundary.

## Source-Mapped Facts

- GitHub documentation says OpenID Connect lets GitHub Actions workflows access cloud provider resources without storing long-lived cloud credentials as GitHub secrets. ([source](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers))
- GitHub OIDC reference documentation says the job or workflow must grant id-token: write permission to allow GitHub's OIDC provider to create a JWT. ([source](https://docs.github.com/en/actions/reference/security/oidc))
- GitHub OIDC reference documentation says the OIDC token includes standard audience, issuer, and subject claims. ([source](https://docs.github.com/en/actions/reference/security/oidc))

## Further Reading

- [GitHub Configuring OpenID Connect in Cloud Providers](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)
- [GitHub OpenID Connect Reference](https://docs.github.com/en/actions/reference/security/oidc)