---
id: agent-github-actions-oidc-claims-and-cloud-trust
title: 'Agent GitHub Actions OIDC Claims and Cloud Trust'
schema_type: TechArticle
category: ai
language: en
confidence: medium
last_verified: '2026-06-09'
created_date: '2026-06-09'
generation_method: ai_structured
derived_from_human_seed: true
conflict_of_interest: none_declared
is_live_document: false
data_period: static
atomic_facts:
  - id: fact-ai-agent-github-actions-oidc-claims-and-cloud-trust-1
    statement: >-
      GitHub documentation says OpenID Connect lets GitHub Actions workflows
      access cloud provider resources without storing long-lived cloud credentials
      as GitHub secrets.
    source_title: GitHub Configuring OpenID Connect in Cloud Providers
    source_url: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers
    confidence: medium
  - id: fact-ai-agent-github-actions-oidc-claims-and-cloud-trust-2
    statement: >-
      GitHub OIDC reference documentation says the job or workflow must grant
      id-token: write permission to allow GitHub's OIDC provider to create a JWT.
    source_title: GitHub OpenID Connect Reference
    source_url: https://docs.github.com/en/actions/reference/security/oidc
    confidence: medium
  - id: fact-ai-agent-github-actions-oidc-claims-and-cloud-trust-3
    statement: >-
      GitHub OIDC reference documentation says the OIDC token includes standard
      audience, issuer, and subject claims.
    source_title: GitHub OpenID Connect Reference
    source_url: https://docs.github.com/en/actions/reference/security/oidc
    confidence: medium
completeness: 0.82
known_gaps:
  - OIDC deployment trust depends on cloud-provider condition syntax, subject-claim template, audience value, environment protection, reusable workflow call chain, branch and tag filters, token lifetime, and whether fallback static credentials still exist.
disputed_statements: []
primary_sources:
  - title: GitHub Configuring OpenID Connect in Cloud Providers
    type: documentation
    year: 2026
    url: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers
    institution: GitHub
  - title: GitHub OpenID Connect Reference
    type: documentation
    year: 2026
    url: https://docs.github.com/en/actions/reference/security/oidc
    institution: GitHub
secondary_sources: []
updated: '2026-06-09'
ai_models:
  - gpt-5-codex
---

## TL;DR

GitHub Actions OIDC claims let agents verify why a cloud deployment token was accepted or denied without assuming a static secret was present.

## Core Explanation

OIDC-based deployment replaces a long-lived cloud secret with a short-lived token exchange. That improves auditability only if the trust policy is explicit about which repository, branch, tag, environment, workflow, or reusable workflow is allowed to receive cloud credentials.

Agents should capture the workflow permissions block, requested audience, subject claim, repository, ref, environment, cloud trust condition, and cloud provider error before changing deployment YAML. A failed deploy can be caused by a missing `id-token: write`, a mismatched `sub` claim, an unexpected audience, or a protected environment that changes the trust boundary.

## Source-Mapped Facts

- GitHub documentation says OpenID Connect lets GitHub Actions workflows access cloud provider resources without storing long-lived cloud credentials as GitHub secrets. ([source](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers))
- GitHub OIDC reference documentation says the job or workflow must grant id-token: write permission to allow GitHub's OIDC provider to create a JWT. ([source](https://docs.github.com/en/actions/reference/security/oidc))
- GitHub OIDC reference documentation says the OIDC token includes standard audience, issuer, and subject claims. ([source](https://docs.github.com/en/actions/reference/security/oidc))

## Further Reading

- [GitHub Configuring OpenID Connect in Cloud Providers](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)
- [GitHub OpenID Connect Reference](https://docs.github.com/en/actions/reference/security/oidc)