diff --git a/content/actions/security-for-github-actions/security-guides/automatic-token-authentication.md b/content/actions/security-for-github-actions/security-guides/automatic-token-authentication.md index 6061fe8b34c1..90c36f8b3532 100644 --- a/content/actions/security-for-github-actions/security-guides/automatic-token-authentication.md +++ b/content/actions/security-for-github-actions/security-guides/automatic-token-authentication.md @@ -91,7 +91,7 @@ The following table shows the permissions granted to the `GITHUB_TOKEN` by defau | deployments | read/write | none | read | | discussions | read/write | none | read | | {% ifversion fpt or ghec %} | -| id-token | none | none | read | +| id-token | none | none | none | | {% endif %} | | issues | read/write | none | read | | metadata | read | read | read | diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md index 243c32aee5d7..709508ca9f7a 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md @@ -118,7 +118,7 @@ To update your workflows for OIDC, you will need to make two changes to your YAM ### Adding permissions settings - {% data reusables.actions.oidc-permissions-token %} +{% data reusables.actions.oidc-permissions-token %} ### Requesting the access token diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure.md index caa354d1889d..d4ac949dc792 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure.md @@ -66,7 +66,7 @@ To update your workflows for OIDC, you will need to make two changes to your YAM ### Adding permissions settings - {% data reusables.actions.oidc-permissions-token %} +{% data reusables.actions.oidc-permissions-token %} ### Requesting the access token diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md index c277facdc5aa..cd2c49289528 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md @@ -39,7 +39,7 @@ If your cloud provider doesn't yet offer an official action, you can update your ### Adding permissions settings - {% data reusables.actions.oidc-permissions-token %} +{% data reusables.actions.oidc-permissions-token %} ### Using official actions diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md index 362c76c2e838..c5511612f935 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md @@ -51,7 +51,7 @@ To update your workflows for OIDC, you will need to make two changes to your YAM ### Adding permissions settings - {% data reusables.actions.oidc-permissions-token %} +{% data reusables.actions.oidc-permissions-token %} ### Requesting the access token diff --git a/data/reusables/actions/github-token-available-permissions.md b/data/reusables/actions/github-token-available-permissions.md index 059d6be50bb1..4f76be26a467 100644 --- a/data/reusables/actions/github-token-available-permissions.md +++ b/data/reusables/actions/github-token-available-permissions.md @@ -7,7 +7,7 @@ permissions: checks: read|write|none contents: read|write|none deployments: read|write|none{% ifversion fpt or ghec %} - id-token: read|write|none{% endif %} + id-token: write|none{% endif %} issues: read|write|none discussions: read|write|none packages: read|write|none diff --git a/data/reusables/actions/github-token-scope-descriptions.md b/data/reusables/actions/github-token-scope-descriptions.md index ca4c7bf06737..65a4e46b26f8 100644 --- a/data/reusables/actions/github-token-scope-descriptions.md +++ b/data/reusables/actions/github-token-scope-descriptions.md @@ -1,4 +1,4 @@ -For each of the available permissions, shown in the table below, you can assign one of the access levels: `read`, `write`, or `none`. `write` includes `read`. If you specify the access for any of these permissions, all of those that are not specified are set to `none`. +For each of the available permissions, shown in the table below, you can assign one of the access levels: `read` (if applicable), `write`, or `none`. `write` includes `read`. If you specify the access for any of these permissions, all of those that are not specified are set to `none`. Available permissions and details of what each allows an action to do: diff --git a/data/reusables/actions/oidc-permissions-token.md b/data/reusables/actions/oidc-permissions-token.md index 2a70c56f2bbe..35f6bc51a846 100644 --- a/data/reusables/actions/oidc-permissions-token.md +++ b/data/reusables/actions/oidc-permissions-token.md @@ -1,4 +1,4 @@ -The job or workflow run requires a `permissions` setting with [`id-token: write`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). You won't be able to request the OIDC JWT ID token if the `permissions` setting for `id-token` is set to `read` or `none`. +The job or workflow run requires a `permissions` setting with [`id-token: write`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) to allow {% data variables.product.prodname_dotcom %}'s OIDC provider to create a JSON Web Token for every run. You won't be able to request the OIDC JWT ID token if the `permissions` for `id-token` is not set to `write`, however this value doesn't imply granting write access to any resources, only being able to fetch and set the OIDC token for an action or step to enable authenticating with a short-lived access token. Any actual trust setting is defined using OIDC claims, for more information see "[AUTOTITLE](/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud)." The `id-token: write` setting allows the JWT to be requested from {% data variables.product.prodname_dotcom %}'s OIDC provider using one of these approaches: