Github Actions Welcome New Open-ID Security Features

Open-ID connect tokens are a new security feature that has been added to GitHub Actions.


GitActions welcome two new features: Open-ID tokens and the Reusable workflow. The features are expected to function with the cloud providers and further automation for users.

The presentation was to show another benefit of the OIDC tokens, which is configuring conditions for tokens
The presentation was to show another benefit of the OIDC tokens, which is configuring conditions for tokens
Key Facts
  1. 1

    The Open-ID tokens are to correct hazards experienced with encrypted environment variables.

  2. 2

    Each cloud provider token guideline has been released.

  3. 3

    Reusable workflow, a new feature, is currently in the Beta stage.

  4. 4

    Limitations to the workflow would be fixed before it's released on GA.


A new security feature based on Open-ID has been added to the GitHub Actions. The GitHub Actions, which first premiered in 2018, has noticed close to a 100% increase each year since it became available on general availability in 2019.

GitHub Actions has noticed an increased usage from the 75 million jobs per month documented at the Universe 2020 to over 147 million jobs per month reported at the universe 2021. Also, the amount of actions in the GitHub marketplace has improved, going from 6,200 in 2020 to 10,431 in late October. Cloud vendors benefit from delivering Actions that make it simple to automate their use. A timely investigation disclosed 300 AWS actions and 136 for Azure. Actions for Slack and Teams notifications are also not left out.

Resources that are needed for testing and databases are required by GitHub actions to first undergo authentication against them before they can be accessed or deployed for use. To authenticate these resources, an encrypted environment variable is used. Still, hazards such as outdated credentials needing to be updated and secrets being logged in plain text are hard to avoid.

To solve these hazards, the Open-ID Connect (OIDC) tokens were introduced. The tokens require the user to request a one-time code from the cloud provider. Cloud providers such as Google cloud, HashiCorp Vault, AWS, and Microsoft Azure can provide these tokens. The tokens can be requested by a step or action in the users' workflow. GitHub has provided uses for the tokens and guides specific to each cloud provider.

The product manager at GitHub, Jennifer Schelkopf, also made a presentation highlighting another advantage of the tokens. Her presentation showed that access to the production environment could be withheld for the "deploy to production," and the initial staging job does not require access for configuration. The presentation was to show another benefit of the OIDC tokens, which is configuring conditions for tokens.

The folks at GitHub actions also announced the reusable workflow currently in Beta Testing. The workflow is designed for users to be able to summon a workflow from another workflow. This action would have previously required action with the uses statement, and the reusable workflow feature makes it easier. A reusable workflow has to be called precisely in this way, using a "workflow_call event" that gets inputs containing secrets from the calling workflow. The major advantage is a reduced use of "clipboard inheritance."

Limitations to the workflow include the inability of a reusable workflow to summon another reusable workflow, a term referred to as nesting. Also, the caller workflow does not have access to outputs from the called workflow. This would, however, be fixed before being released on General Availability.

Get similar news in your inbox weekly, for free

Share this news:

Latest stories

How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

A Review of Zoho ManageEngine

Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

Should I learn Java in 2023? A Practical Guide

Java is one of the most widely used programming languages in the world. It has …

The fastest way to ramp up on DevOps

You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

Why You Need a Blockchain Node Provider

In this article, we briefly cover the concept of blockchain nodes provider and explain why …

Top 5 Virtual desktop Provides in 2022

Here are the top 5 virtual desktop providers who offer a range of benefits such …