{
  "id": "policy/github-actions-oidc-token-permission-denied",
  "signature": "Error: Failed to request OIDC token: 403 Forbidden. The workflow is not allowed to request an OIDC token for this organization.",
  "signature_zh": "错误：请求 OIDC 令牌失败：403 禁止。工作流不允许为此组织请求 OIDC 令牌。",
  "regex": "Failed to request OIDC token: 403 Forbidden\\. The workflow is not allowed to request an OIDC token for this organization\\.",
  "domain": "policy",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "GitHub Actions OIDC token request denied because the organization's OIDC trust policy does not allow the specific workflow or branch.",
  "root_cause_type": "generic",
  "root_cause_zh": "GitHub Actions OIDC 令牌请求被拒绝，因为组织的 OIDC 信任策略不允许特定工作流或分支。",
  "versions": [
    {
      "version": "GitHub Actions 2024-01",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "GitHub Enterprise Server 3.12",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Re-run the workflow with the same configuration, hoping it's a transient error.",
      "why_fails": "The OIDC token request is denied due to policy configuration, not transient issues. Retrying will fail identically.",
      "fail_rate": 1.0,
      "condition": "",
      "sources": []
    },
    {
      "action": "Add a new OIDC provider in the cloud provider (e.g., AWS) without updating GitHub settings.",
      "why_fails": "The error originates from GitHub's side denying the token request, not the cloud provider. The cloud provider configuration is irrelevant if GitHub refuses to issue the token.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    },
    {
      "action": "Remove the 'id-token: write' permission from the workflow.",
      "why_fails": "The 'id-token: write' permission is required to request an OIDC token. Removing it will cause a different error about missing permissions.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Update the OIDC trust policy in the GitHub organization settings to allow the specific repository and branch. Navigate to Settings > Organization > Security > OIDC Trust Policies and add a condition like 'repository:owner/repo:ref:refs/heads/main'.",
      "success_rate": 0.85,
      "how": "Update the OIDC trust policy in the GitHub organization settings to allow the specific repository and branch. Navigate to Settings > Organization > Security > OIDC Trust Policies and add a condition like 'repository:owner/repo:ref:refs/heads/main'.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Use a GitHub App or personal access token instead of OIDC for authentication. In the workflow, use 'actions/checkout@v4' with a token: 'uses: actions/checkout@v4 with: token: ${{ secrets.MY_TOKEN }}'",
      "success_rate": 0.9,
      "how": "Use a GitHub App or personal access token instead of OIDC for authentication. In the workflow, use 'actions/checkout@v4' with a token: 'uses: actions/checkout@v4 with: token: ${{ secrets.MY_TOKEN }}'",
      "condition": "",
      "sources": []
    },
    {
      "action": "Modify the workflow to run on a branch that is explicitly allowed in the OIDC trust policy. For example, if only 'main' is allowed, merge the feature branch into main before triggering the deployment workflow.",
      "success_rate": 0.75,
      "how": "Modify the workflow to run on a branch that is explicitly allowed in the OIDC trust policy. For example, if only 'main' is allowed, merge the feature branch into main before triggering the deployment workflow.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Update the OIDC trust policy in the GitHub organization settings to allow the specific repository and branch. Navigate to Settings > Organization > Security > OIDC Trust Policies and add a condition like 'repository:owner/repo:ref:refs/heads/main'.",
    "Use a GitHub App or personal access token instead of OIDC for authentication. In the workflow, use 'actions/checkout@v4' with a token: 'uses: actions/checkout@v4 with: token: ${{ secrets.MY_TOKEN }}'",
    "Modify the workflow to run on a branch that is explicitly allowed in the OIDC trust policy. For example, if only 'main' is allowed, merge the feature branch into main before triggering the deployment workflow."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers",
  "official_doc_section": null,
  "error_code": "403",
  "verification_tier": "ai_generated",
  "confidence": 0.87,
  "fix_success_rate": 0.78,
  "resolvable": "true",
  "first_seen": "2024-01-20",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}