Validates GitHub Actions OIDC tokens (JWTs issued by https://token.actions.githubusercontent.com) and generates SPIRE selectors that identify the caller by repository, workflow, branch, environment, and other GitHub-specific attributes.
Uses the generic JWT validator for signature verification, key discovery, and standard claim validation (issuer, audience, expiration). Adds GitHub-specific allowlist checks (repository owner, repository name) and selector generation on top.
| Field | Type | Required | Description |
|---|---|---|---|
issuerURL |
string | no | OIDC issuer. Default: https://token.actions.githubusercontent.com. |
audiences |
string array | yes | Expected JWT audience values. At least one entry required. |
allowedRepositoryOwners |
string array | see note | GitHub organizations/users allowed. Supports trailing wildcard (*). At least one of allowedRepositories or allowedRepositoryOwners must be set. |
allowedRepositories |
string array | see note | Repositories allowed in owner/name format. Supports trailing wildcard (*). At least one required if allowedRepositoryOwners is empty. |
When both allowedRepositoryOwners and allowedRepositories are set, the token must match both lists (AND logic).
Selector type: github_actions
Selectors are generated for every non-empty claim field in the validated token:
| Selector key | Value format | Condition |
|---|---|---|
repository |
owner/name |
always |
repository_owner |
org or user name | always |
repository_id |
numeric | always |
repository_owner_id |
numeric | always |
repository_visibility |
public, private, or internal |
always |
workflow |
workflow display name | always |
workflow_ref |
owner/repo/.github/workflows/name.yml@ref |
always |
workflow_ref:repo |
owner/repo |
when workflow_ref has @ref |
workflow_ref:path |
.github/workflows/name.yml |
when workflow_ref has @ref |
workflow_ref:ref |
git ref | when workflow_ref has @ref |
job_workflow_ref |
owner/repo/.github/workflows/name.yml@ref |
always |
job_workflow_ref:repo |
owner/repo |
when job_workflow_ref has @ref |
job_workflow_ref:path |
.github/workflows/name.yml |
when job_workflow_ref has @ref |
job_workflow_ref:ref |
git ref | when job_workflow_ref has @ref |
ref |
full git ref | always |
ref_type |
branch or tag |
always |
branch |
branch name (without refs/heads/) |
when ref_type is branch |
sha |
commit SHA | always |
head_ref |
PR source branch | always |
base_ref |
PR target branch | always |
event_name |
trigger event | always |
actor |
triggering user | always |
actor_id |
numeric user ID | always |
run_id |
per-run ID | always |
run_number |
sequential run number | always |
run_attempt |
re-run attempt | always |
environment |
deployment environment name | always |
runner_environment |
github-hosted or self-hosted |
always |
- JWT signature verification — fetches the issuer's JWKS (via OIDC discovery or explicit
jwksUri), extracts thekidfrom the token header, and verifies the RSA/ECDSA signature. - Standard claim validation — verifies
iss,aud, andexp(30s clock leeway). - Allowlist check — enforces
allowedRepositoryOwnersand/orallowedRepositoriesusing suffix-wildcard matching. - Replay detection — the caller's replay cache (configurable
purposeMode) prevents token reuse.
auth:
plugins:
- name: "github-actions"
plugin: "github"
config:
issuerURL: "https://token.actions.githubusercontent.com"
audiences: ["spire-identity-exchange"]
allowedRepositoryOwners:
- "my-org"
allowedRepositories:
- "my-org/*"- Use
repository_idandrepository_owner_idselectors for registration entry matching rather thanrepository/repository_owner— numeric IDs are immutable across renames and transfers. actorandactor_idrepresent the human who triggered the workflow, not the workload identity. Do not use these as the sole discriminator in registration entries.workflowis a mutable display name; preferjob_workflow_refwhich is keyed on file path.- The
head_refclaim is attacker-controlled (PR source branch). Never use it as a sole identity discriminator. run_id,run_number, andrun_attemptare ephemeral per-execution values. Do not use them for registration entry matching.