GitHub Actions: Secure cloud deployments with OpenID Connect
GitHub Actions now supports OpenID Connect (OIDC) for secure deployments to cloud, which uses short-lived tokens that are automatically rotated for each deployment.
This enables:
- Seamless authentication between Cloud Providers and GitHub without the need for storing any long-lived cloud secrets in GitHub
- Cloud Admins can rely on the security mechanisms of their cloud provider to ensure that GitHub Actions workflows get the minimal access for cloud resources. There is no duplication of secret management in GitHub and the cloud.
How this works:
- Developers set up OIDC trust on their cloud roles to manage access between their deployment workflows and cloud resources.
- In each deployment, GitHub Actions workflow presents an autogenerated OIDC JWT token to the cloud provider
- Cloud provider validates the claims in the OIDC token against the cloud role definition and provides a cloud access token to connect and deploy to the Cloud only during the workflow run.

Learn more about Security hardening your GitHub Workflows using OpenID Connect.

Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
