jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 18:10:59 -05:00
Code Issues Projects Releases Wiki Activity

Add enterprise_id to OIDC token claims (#48661)

Browse Source
This commit is contained in:
Seth Rylan Gainey
2024-01-26 15:08:18 -05:00
committed by GitHub
parent 64a5bc866e
commit f503dfd53a
2 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md
View File

@@ -82,7 +82,8 @@ The following example OIDC token uses a subject (`sub`) that references a job en
"head_ref": "", "head_ref": "",
"base_ref": "", "base_ref": "",
"event_name": "workflow_dispatch",{% ifversion actions-OIDC-custom-claim-enterprise %} "event_name": "workflow_dispatch",{% ifversion actions-OIDC-custom-claim-enterprise %}
"enterprise": "avocado-corp"{% endif %} "enterprise": "avocado-corp",{% endif %}{% ifversion actions-OIDC-enterprise_id-claim %}
"enterprise_id": "2",{% endif %}
"ref_type": "branch", "ref_type": "branch",
"job_workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main", "job_workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
"iss": "{% ifversion ghes %}https://HOSTNAME/_services/token{% else %}https://token.actions.githubusercontent.com{% endif %}", "iss": "{% ifversion ghes %}https://HOSTNAME/_services/token{% else %}https://token.actions.githubusercontent.com{% endif %}",
@@ -128,6 +129,9 @@ The token also includes custom claims provided by {% data variables.product.prod
{%- ifversion actions-OIDC-custom-claim-enterprise %} {%- ifversion actions-OIDC-custom-claim-enterprise %}
| `enterprise`| The name of the enterprise that contains the repository from where the workflow is running. | | `enterprise`| The name of the enterprise that contains the repository from where the workflow is running. |
{%- endif %} {%- endif %}
{%- ifversion actions-OIDC-enterprise_id-claim %}
| `enterprise_id`| The ID of the enterprise that contains the repository from where the workflow is running. |
{%- endif %}
| `environment`| The name of the environment used by the job. To include the `environment` claim you must reference an environment. | | `environment`| The name of the environment used by the job. To include the `environment` claim you must reference an environment. |
| `event_name`| The name of the event that triggered the workflow run. | | `event_name`| The name of the event that triggered the workflow run. |
| `head_ref`| The source branch of the pull request in a workflow run. | | `head_ref`| The source branch of the pull request in a workflow run. |
@@ -278,10 +282,11 @@ After this setting is applied, the JWT will contain the updated `iss` value. In
```json ```json
{ {
"jti": "6f4762ed-0758-4ccb-808d-ee3af5d723a8" "jti": "6f4762ed-0758-4ccb-808d-ee3af5d723a8",
"sub": "repo:octocat-inc/private-server:ref:refs/heads/main" "sub": "repo:octocat-inc/private-server:ref:refs/heads/main",
"aud": "http://octocat-inc.example/octocat-inc" "aud": "http://octocat-inc.example/octocat-inc",
"enterprise": "octocat-inc" "enterprise": "octocat-inc",
"enterprise_id": "123",
"iss": "https://token.actions.githubusercontent.com/octocat-inc", "iss": "https://token.actions.githubusercontent.com/octocat-inc",
"bf": 1755350653, "bf": 1755350653,
"exp": 1755351553, "exp": 1755351553,

4
data/features/actions-OIDC-enterprise_id-claim.yml Normal file
View File

@@ -0,0 +1,4 @@
# Adding new OIDC claim - enterprise_id
versions:
ghec: '*'
ghes: '>=3.12'