REST API endpoints for GitHub Actions OIDC
Use the REST API to interact with JWTs for OIDC subject claims in GitHub Actions.
About GitHub Actions OIDC
You can use the REST API to query and manage a customization template for an OpenID Connect (OIDC) subject claim. For more information, see "About security hardening with OpenID Connect."
Set the GitHub Actions OIDC custom issuer policy for an enterprise
Sets the GitHub Actions OpenID Connect (OIDC) custom issuer policy for an enterprise.
OAuth app tokens and personal access tokens (classic) need the admin:enterprise
scope to use this endpoint.
Fine-grained access tokens for "Set the GitHub Actions OIDC custom issuer policy for an enterprise"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Enterprise administration" business permissions (write)
Parameters for "Set the GitHub Actions OIDC custom issuer policy for an enterprise"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
enterprise string RequiredThe slug version of the enterprise name. You can also substitute this value with the enterprise id. |
Name, Type, Description |
---|
include_enterprise_slug boolean Whether the enterprise customer requested a custom issuer URL. |
HTTP response status codes for "Set the GitHub Actions OIDC custom issuer policy for an enterprise"
Status code | Description |
---|---|
204 | No Content |
Code samples for "Set the GitHub Actions OIDC custom issuer policy for an enterprise"
If you access GitHub at GHE.com, replace api.github.com
with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com
.
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/enterprises/ENTERPRISE/actions/oidc/customization/issuer \
-d '{"include_enterprise_slug":true}'
Response
Status: 204
Get the customization template for an OIDC subject claim for an organization
Gets the customization template for an OpenID Connect (OIDC) subject claim.
OAuth app tokens and personal access tokens (classic) need the read:org
scope to use this endpoint.
Fine-grained access tokens for "Get the customization template for an OIDC subject claim for an organization"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" organization permissions (read)
Parameters for "Get the customization template for an OIDC subject claim for an organization"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
org string RequiredThe organization name. The name is not case sensitive. |
HTTP response status codes for "Get the customization template for an OIDC subject claim for an organization"
Status code | Description |
---|---|
200 | A JSON serialized template for OIDC subject claim customization |
Code samples for "Get the customization template for an OIDC subject claim for an organization"
If you access GitHub at GHE.com, replace api.github.com
with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com
.
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/ORG/actions/oidc/customization/sub
A JSON serialized template for OIDC subject claim customization
Status: 200
{
"include_claim_keys": [
"repo",
"context"
]
}
Set the customization template for an OIDC subject claim for an organization
Creates or updates the customization template for an OpenID Connect (OIDC) subject claim.
OAuth app tokens and personal access tokens (classic) need the write:org
scope to use this endpoint.
Fine-grained access tokens for "Set the customization template for an OIDC subject claim for an organization"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" organization permissions (write)
Parameters for "Set the customization template for an OIDC subject claim for an organization"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
org string RequiredThe organization name. The name is not case sensitive. |
Name, Type, Description |
---|
include_claim_keys array of strings RequiredArray of unique strings. Each claim key can only contain alphanumeric characters and underscores. |
HTTP response status codes for "Set the customization template for an OIDC subject claim for an organization"
Status code | Description |
---|---|
201 | Empty response |
403 | Forbidden |
404 | Resource not found |
Code samples for "Set the customization template for an OIDC subject claim for an organization"
If you access GitHub at GHE.com, replace api.github.com
with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com
.
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/ORG/actions/oidc/customization/sub \
-d '{"include_claim_keys":["repo","context"]}'
Empty response
Status: 201
Get the customization template for an OIDC subject claim for a repository
Gets the customization template for an OpenID Connect (OIDC) subject claim.
OAuth tokens and personal access tokens (classic) need the repo
scope to use this endpoint.
Fine-grained access tokens for "Get the customization template for an OIDC subject claim for a repository"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Actions" repository permissions (read)
This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.
Parameters for "Get the customization template for an OIDC subject claim for a repository"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
HTTP response status codes for "Get the customization template for an OIDC subject claim for a repository"
Status code | Description |
---|---|
200 | Status response |
400 | Bad Request |
404 | Resource not found |
Code samples for "Get the customization template for an OIDC subject claim for a repository"
If you access GitHub at GHE.com, replace api.github.com
with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com
.
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/actions/oidc/customization/sub
Status response
Status: 200
{
"use_default": false,
"include_claim_keys": [
"repo",
"context"
]
}
Set the customization template for an OIDC subject claim for a repository
Sets the customization template and opt-in
or opt-out
flag for an OpenID Connect (OIDC) subject claim for a repository.
OAuth app tokens and personal access tokens (classic) need the repo
scope to use this endpoint.
Fine-grained access tokens for "Set the customization template for an OIDC subject claim for a repository"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Actions" repository permissions (write)
Parameters for "Set the customization template for an OIDC subject claim for a repository"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
Name, Type, Description |
---|
use_default boolean RequiredWhether to use the default template or not. If |
include_claim_keys array of strings Array of unique strings. Each claim key can only contain alphanumeric characters and underscores. |
HTTP response status codes for "Set the customization template for an OIDC subject claim for a repository"
Status code | Description |
---|---|
201 | Empty response |
400 | Bad Request |
404 | Resource not found |
422 | Validation failed, or the endpoint has been spammed. |
Code samples for "Set the customization template for an OIDC subject claim for a repository"
If you access GitHub at GHE.com, replace api.github.com
with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com
.
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/actions/oidc/customization/sub \
-d '{"use_default":false,"include_claim_keys":["repo","context"]}'
Empty response
Status: 201