GitHub Actions – Securing OpenID Connect (OIDC) token permissions in reusable workflows

For securely enabling OpenID Connect (OIDC) in your reusable workflows, we are now making the permissions more restrictive.

If you need to fetch an OIDC token generated within a reusable (called) workflow that is outside your enterprise/organization, then the permissions setting for id-token should now be explicitly set to write at the caller workflow level or in the specific job that calls the reusable workflow.

yml

permissions:
id-token: write # This is required for requesting the JWT

permissions:
id-token: write # This is required for requesting the JWT

This change would ensure that the OIDC token generated in the called workflow is allowed to be consumed in the caller workflows only when intended.

Learn more about permission settings to enable OIDC in your workflows

JUN.12Retired
GitHub Actions: Minimum version enforcement timeline for self-hosted runners
- Actions
JUN.11Improvement
Bot-created pull requests can run workflows if approved
- Actions
JUN.11Release
New runner images in public preview
- Actions
JUN.11Release
GitHub Agentic Workflows is now in public preview
- Actions
MAY.14Improvement
GitHub Actions: Upcoming image migrations
- Actions
MAY.7Improvement
GitHub Actions concurrency groups now allow larger queues
- Actions
APR.27Improvement
Copilot cloud agent starts 20% faster with Actions custom images
- Actions
APR.27Release
GitHub Copilot code review will start consuming GitHub Actions minutes on June 1, 2026
- Actions
APR.24Improvement
Notice about upcoming new format for GitHub App installation tokens
- Actions

GitHub Actions – Securing OpenID Connect (OIDC) token permissions in reusable workflows

Related Posts

Subscribe to our developer newsletter