GitHub Actions OIDC Tokens Transition to Immutable Subject Claims for New Repositories
GitHub has updated the OpenID Connect (OIDC) token behavior for GitHub Actions by introducing immutable identifiers in the subject claim. This change addresses security concerns where trust relationships previously relied on mutable repository or owner names. By using unique internal IDs instead of names, GitHub prevents potential security vulnerabilities that could occur if a repository is renamed or deleted and its original name is later claimed by another user.
#github#copilot#devops#official
Comparison
| Aspect | Before / Alternative | After / This |
|---|---|---|
| Claim Content | Human-readable repository and owner names | Immutable internal unique identifiers |
| Renaming Impact | Trust policies may break or allow unauthorized access | Trust remains intact and secure regardless of name changes |
| Default Behavior | Standard for repositories created before the rollout | Automatic default for all new repositories |
| Security Posture | Vulnerable to repository squatting and name reuse | Resistant to identity spoofing via name manipulation |
Action Checklist
- Audit existing OIDC trust policies in cloud providers like AWS, Azure, and GCP Look for policies that strictly filter based on repository name strings
- Configure identity provider mappings to recognize the new unique ID format Update the 'sub' claim validation logic to match the immutable ID
- Test authentication with a new repository to verify the claim format New repositories will provide the immutable format by default
- Manually opt-in existing high-security repositories to the new claim format Ensure all trust policies are updated before switching existing production workflows
Source: GitHub Changelog
This page summarizes the original source. Check the source for full details.
