Cheat Sheet logoCheat Sheet Today
GitHub Actions: Secrets, Permissions, Security, and OIDC/Enable OIDC token issuance

Grant `id-token: write` when using cloud federation.

Back to sheetBrowse commands
Sign in to save
Section: OIDC and fork safety

Enable OIDC token issuance

yaml
yaml
permissions:
  id-token: write
  contents: read
Explanation

OIDC lets workflows exchange a short-lived identity token for cloud credentials without storing static secrets.

View in sheet →

Learn the surrounding workflow

Compare similar commands or jump into common fixes when this command is part of a bigger troubleshooting path.

Compare commandsView fixes

Related commands

Same sheet · prioritizing OIDC and fork safety
Configure AWS credentials via OIDC
Use the AWS credentials action without long-lived keys.
OpenIn sheetyamlsame section
Authenticate to Google Cloud with OIDC
Use workload identity federation for GCP.
OpenIn sheetyamlsame section
Do not expose secrets to untrusted forks
Avoid unsafe patterns for public repo pull requests.
OpenIn sheetyamlsame section
Set least-privilege token permissions
Limit the default GITHUB_TOKEN scope.
OpenIn sheetyaml1 tag match
Grant write access only where needed
Elevate token permissions on a specific job.
OpenIn sheetyaml1 tag match
Expose a secret as an environment variable
Use the `secrets` context in step env.
OpenIn sheetyaml