{
  "id": "policy/github-actions-oidc-token-403-forbidden",
  "signature": "Error: Failed to request OIDC token: 403 Forbidden. The workflow is not allowed to request an OIDC token for this organization",
  "signature_zh": "错误：请求OIDC令牌失败：403禁止。该工作流不允许为此组织请求OIDC令牌",
  "regex": "Failed to request OIDC token: 403 Forbidden",
  "domain": "policy",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "GitHub Actions OIDC token requests are blocked by organization-level or repository-level settings that restrict which workflows can request tokens for cloud provider authentication.",
  "root_cause_type": "generic",
  "root_cause_zh": "GitHub Actions OIDC令牌请求被组织级别或仓库级别设置阻止，这些设置限制了哪些工作流可以请求用于云提供商认证的令牌。",
  "versions": [
    {
      "version": "GitHub Actions runner 2.315.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "GitHub Enterprise Server 3.10",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "GitHub REST API 2022-11-28",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "The issue is a policy restriction, not a transient token error; re-running will hit the same 403.",
      "fail_rate": 1.0,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "This bypasses the security benefit of OIDC and may violate compliance policies; also not a fix for the error.",
      "fail_rate": 0.6,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Restrictions are based on repository or organization settings, not branch or event names.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Go to organization settings > Actions > General > Permissions, and ensure 'Allow GitHub Actions to create and approve pull requests' is enabled. Then add the workflow's repository to the allowed list for OIDC token requests under 'OIDC Token' settings.",
      "success_rate": 0.85,
      "how": "Go to organization settings > Actions > General > Permissions, and ensure 'Allow GitHub Actions to create and approve pull requests' is enabled. Then add the workflow's repository to the allowed list for OIDC token requests under 'OIDC Token' settings.",
      "condition": "",
      "sources": []
    },
    {
      "action": "If using GitHub Enterprise, check the repository's 'Actions secrets and variables' settings and verify that the 'Allow OIDC token for this repository' option is checked. For organization-level, run: gh api -X PATCH /orgs/ORG/settings/actions -f 'allowed_actions=all'",
      "success_rate": 0.8,
      "how": "If using GitHub Enterprise, check the repository's 'Actions secrets and variables' settings and verify that the 'Allow OIDC token for this repository' option is checked. For organization-level, run: gh api -X PATCH /orgs/ORG/settings/actions -f 'allowed_actions=all'",
      "condition": "",
      "sources": []
    },
    {
      "action": "Configure the cloud provider's trust policy to accept tokens from the specific repository and branch. For AWS, update the IAM OIDC identity provider's trust policy to include the correct 'sub' claim: \"Condition\": {\"StringEquals\": {\"token.actions.githubusercontent.com:sub\": \"repo:org/repo:ref:refs/heads/main\"}}",
      "success_rate": 0.75,
      "how": "Configure the cloud provider's trust policy to accept tokens from the specific repository and branch. For AWS, update the IAM OIDC identity provider's trust policy to include the correct 'sub' claim: \"Condition\": {\"StringEquals\": {\"token.actions.githubusercontent.com:sub\": \"repo:org/repo:ref:refs/heads/main\"}}",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "前往组织设置 > Actions > General > Permissions，确保启用'允许GitHub Actions创建和批准拉取请求'。然后在'OIDC Token'设置下将工作流的仓库添加到允许列表中。",
    "如果使用GitHub Enterprise，检查仓库的'Actions secrets and variables'设置，确保选中'允许此仓库的OIDC令牌'选项。对于组织级别，运行：gh api -X PATCH /orgs/ORG/settings/actions -f 'allowed_actions=all'",
    "配置云提供商的信任策略以接受来自特定仓库和分支的令牌。对于AWS，更新IAM OIDC身份提供者的信任策略，包含正确的'sub'声明：\"Condition\": {\"StringEquals\": {\"token.actions.githubusercontent.com:sub\": \"repo:org/repo:ref:refs/heads/main\"}}"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers",
  "official_doc_section": null,
  "error_code": "403",
  "verification_tier": "ai_generated",
  "confidence": 0.88,
  "fix_success_rate": 0.85,
  "resolvable": "partial",
  "first_seen": "2024-01-10",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}