|
| 1 | +--- |
| 2 | +slug: /github-oidc |
| 3 | +sidebar_label: GitHub OIDC |
| 4 | +sidebar_position: 11 |
| 5 | +description: Authenticate Argos uploads from GitHub Actions using OpenID Connect (OIDC) instead of a long-lived ARGOS_TOKEN secret. |
| 6 | +--- |
| 7 | + |
| 8 | +# GitHub OIDC Authentication |
| 9 | + |
| 10 | +Authenticate the Argos SDK from GitHub Actions using [OpenID Connect (OIDC)](https://docs.github.com/en/actions/reference/security/oidc) instead of storing a long-lived `ARGOS_TOKEN` secret in your repository. |
| 11 | + |
| 12 | +With OIDC, each workflow run receives a short-lived identity token signed by GitHub. Argos verifies that token against the repository and workflow you have allowed, then issues a temporary upload credential scoped to that build. No secret is ever stored in GitHub. |
| 13 | + |
| 14 | +## Why use OIDC |
| 15 | + |
| 16 | +- **No long-lived secret.** Nothing to rotate, leak, or copy between repositories. |
| 17 | +- **Per-run identity.** Each token is tied to a specific repository, workflow, branch, and run. Compromise of one run cannot be replayed elsewhere. |
| 18 | +- **Least privilege.** The credential Argos issues from the OIDC exchange is scoped to uploading to a single project. |
| 19 | +- **Auditable.** GitHub signs the identity token with claims (repository, ref, workflow, actor) that Argos records on the resulting build. |
| 20 | + |
| 21 | +## How it works |
| 22 | + |
| 23 | +1. GitHub Actions requests an OIDC identity token from GitHub's OIDC provider for the current job. This requires the `id-token: write` workflow permission. |
| 24 | +2. The Argos SDK detects that no `ARGOS_TOKEN` is set and fetches the OIDC token from the runner. |
| 25 | +3. The SDK sends the token to Argos with the upload request. |
| 26 | +4. Argos verifies the token's signature, issuer, audience, and claims (`repository`, `ref`, `workflow`) against the project's authentication settings. |
| 27 | +5. If the token is valid and the repository matches the Argos project, the upload is accepted. |
| 28 | + |
| 29 | +The OIDC token is short-lived (minutes) and never persisted by Argos beyond what is needed to attribute the build. |
| 30 | + |
| 31 | +## Enable OIDC in your Argos project |
| 32 | + |
| 33 | +1. Open your project in Argos and go to **Project Settings → Authentication**. |
| 34 | +2. Enable **GitHub OIDC**. |
| 35 | +3. Save your changes. |
| 36 | + |
| 37 | +Once OIDC is enabled, builds from the repository linked to the project can authenticate without `ARGOS_TOKEN`. |
| 38 | + |
| 39 | +## Configure your GitHub Actions workflow |
| 40 | + |
| 41 | +Two things are required on the workflow side: |
| 42 | + |
| 43 | +1. Grant the workflow permission to mint an OIDC token by adding `id-token: write` to the job's `permissions` block. |
| 44 | +2. **Remove** `ARGOS_TOKEN` from the job environment. The SDK uses OIDC only when no token is provided — if `ARGOS_TOKEN` is set, it takes precedence. |
| 45 | + |
| 46 | +```yaml title=".github/workflows/visual-tests.yml" |
| 47 | +name: Visual tests |
| 48 | + |
| 49 | +on: |
| 50 | + pull_request: |
| 51 | + merge_group: |
| 52 | + |
| 53 | +jobs: |
| 54 | + argos: |
| 55 | + runs-on: ubuntu-latest |
| 56 | + permissions: |
| 57 | + # Required to check out the repository and read its metadata |
| 58 | + contents: read |
| 59 | + # Required for Argos to authenticate via OIDC |
| 60 | + id-token: write |
| 61 | + # Lets Argos link the build to its pull request |
| 62 | + pull-requests: read |
| 63 | + steps: |
| 64 | + - uses: actions/checkout@v6 |
| 65 | + - uses: actions/setup-node@v6 |
| 66 | + - run: npm ci |
| 67 | + - run: npm run test:e2e |
| 68 | + # Note: no ARGOS_TOKEN — the SDK uses OIDC automatically |
| 69 | +``` |
| 70 | + |
| 71 | +:::warning |
| 72 | + |
| 73 | +If `ARGOS_TOKEN` is defined (as a repository, environment, or organization secret exposed to the job), the SDK will use it and skip OIDC entirely. Remove it from the job to enable OIDC. |
| 74 | + |
| 75 | +::: |
| 76 | + |
| 77 | +:::note |
| 78 | + |
| 79 | +`id-token: write` must be set on the job (or at the workflow level). Adding it only to the `permissions` block of another job does not grant it to your Argos job. See [GitHub's documentation on `id-token` permissions](https://docs.github.com/en/actions/reference/security/oidc#adding-permissions-settings). |
| 80 | + |
| 81 | +::: |
| 82 | + |
| 83 | +## Troubleshooting |
| 84 | + |
| 85 | +**`Unable to get OIDC token` / 403 from the OIDC endpoint.** The job is missing `id-token: write`. Add it to the `permissions` block. |
| 86 | + |
| 87 | +**Argos still uses `ARGOS_TOKEN`.** A secret is being injected into the job. Search your workflow, environments, and reusable workflows for `ARGOS_TOKEN` and remove it. You can confirm by printing `echo "${ARGOS_TOKEN:+set}${ARGOS_TOKEN:-unset}"` in a step (the value itself is masked). |
| 88 | + |
| 89 | +**`Repository does not match the Argos project`.** The repository that ran the workflow is not the one linked to the Argos project. Run the workflow from the linked repository, or update the project's connected repository in Argos. |
| 90 | + |
| 91 | +**OIDC is not used on forked pull requests.** GitHub does not issue OIDC tokens to workflows triggered from forks for security reasons. For PRs from forks, the Argos SDK automatically falls back to [tokenless authentication](/github-tokenless), which is designed to work in that context. |
| 92 | + |
| 93 | +## Prefer OIDC over tokenless authentication |
| 94 | + |
| 95 | +Argos SDKs also support a [**tokenless**](/github-tokenless) mode that authenticates GitHub Actions runs without an `ARGOS_TOKEN` and without OIDC, by looking up the workflow run on GitHub from its commit and branch. |
| 96 | + |
| 97 | +**If OIDC is available in your setup, prefer it over tokenless authentication.** OIDC is more secure because every upload is backed by a short-lived token signed by GitHub's OIDC provider, which Argos cryptographically verifies. |
| 98 | + |
| 99 | +Tokenless authentication remains useful where OIDC cannot be used — most notably for **pull requests from forked repositories**, where GitHub does not issue OIDC tokens. The SDK falls back to tokenless automatically in those cases, so a single workflow can use OIDC for internal PRs and tokenless for fork PRs without any extra configuration. |
| 100 | + |
| 101 | +To switch from tokenless to OIDC on the runs where it is available: |
| 102 | + |
| 103 | +1. Enable **GitHub OIDC** in your Argos project's authentication settings. |
| 104 | +2. Add `id-token: write` to the workflow permissions. |
| 105 | + |
| 106 | +No code change is required in your tests — the SDK picks up OIDC automatically when it is available and no token is set. |
| 107 | + |
| 108 | +## Further reading |
| 109 | + |
| 110 | +- [GitHub: About security hardening with OpenID Connect](https://docs.github.com/en/actions/reference/security/oidc) |
| 111 | +- [GitHub: Assigning permissions to jobs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token) |
| 112 | +- [Argos GitHub Integration](/github) |
0 commit comments