Description
Code of Conduct
- I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
The explanation of what id-token: read/write/none means in a GitHub Actions workflow is still really confusing. Previous issues about this include:
- Document
id-tokenpermission #14626 - Document id-token permission #25952
- Improve
token-idpermission options #26481
I guess the most relevant article is this one: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
What part(s) of the article would you like to see updated?
Here's my understanding of this feature. Feel free to use any of this copy, or correct me if I got something wrong!
The id-token: write permission provides a workflow the ability to interact with external services that use OpenID Connect (OIDC).
The write value can be better interpreted as meaning "enabled" - no writes occur with this permission, and it does not imply that the workflow has the ability to write to anything within GitHub.
Instead, this permission allows the workflow to request an access token from an OIDC supporting external service, such as PyPI or AWS or Google Cloud.
When the GitHub Action workflow runs it will request a token from the relevant service. That service will be able to identify the workflow and repository that is making the request and will only return a token for workflows that it has been configured to allow.
A value of id-token: read is treated the same as id-token: none (the default) - workflows without id-token: write will be unable to request tokens from external services using OIDC.
Additional information
No response