Actions: Secure cloud deployments with Open ID Connect on GHES

[github-product-roadmap]

Summary

GitHub Actions now supports OpenID Connect (OIDC) for secure deploy to each cloud, which uses short-lived tokens that are automatically rotated for each deployment.

This feature is currently available only for DotCom and will soon be enabled even for enterprise SKUs (GHES).

Intended Outcome

• With the new OpenID Connect (OIDC) support in GitHub Actions, you can author secure cloud deployment workflows without needing any cloud secrets stored in GitHub.
• OpenID token exchange eliminates the need for storing any long-lived cloud secrets in GitHub
• Admins can use the security mechanisms of their cloud provider to ensure Action workflows have the minimal amount of access to cloud resources.

How will it work?

• Developers set up OIDC trust on their cloud roles to manage access between their deployment workflows and cloud resources.
• In each deployment, a GitHub Actions workflow can now mint an auto-generated OIDC token. This token has all the metadata needed to get a secure, verifiable, identity for the workflow that is trying to authenticate.
• Cloud login Actions can fetch this token and present it to their respective clouds.
• The cloud provider then validates the claims in the OIDC token against the cloud role definition and provides a cloud short-lived access token that is only valid for a single workflow run, and then automatically expires. Actions within the same Job could however use this access token to connect and deploy to the cloud resources.

[spaltrowitz]

this has shipped! https://docs.github.com/enterprise-server@3.5/admin/release-notes#openid-connect-oidc-for-secure-deployments-with-github-actions closing out this issue.