# 错误：请求 OIDC 令牌失败：403 禁止。工作流不允许为此组织请求 OIDC 令牌。

- **ID:** `policy/github-actions-oidc-token-permission-denied`
- **领域:** policy
- **类别:** auth_error
- **错误码:** `403`
- **验证级别:** ai_generated
- **修复率:** 78%

## 根因

GitHub Actions OIDC 令牌请求被拒绝，因为组织的 OIDC 信任策略不允许特定工作流或分支。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| GitHub Actions 2024-01 | active | — | — |
| GitHub Enterprise Server 3.12 | active | — | — |

## 解决方案

1. ```
   Update the OIDC trust policy in the GitHub organization settings to allow the specific repository and branch. Navigate to Settings > Organization > Security > OIDC Trust Policies and add a condition like 'repository:owner/repo:ref:refs/heads/main'.
   ```
2. ```
   Use a GitHub App or personal access token instead of OIDC for authentication. In the workflow, use 'actions/checkout@v4' with a token: 'uses: actions/checkout@v4 with: token: ${{ secrets.MY_TOKEN }}'
   ```
3. ```
   Modify the workflow to run on a branch that is explicitly allowed in the OIDC trust policy. For example, if only 'main' is allowed, merge the feature branch into main before triggering the deployment workflow.
   ```

## 无效尝试

- **Re-run the workflow with the same configuration, hoping it's a transient error.** — The OIDC token request is denied due to policy configuration, not transient issues. Retrying will fail identically. (100% 失败率)
- **Add a new OIDC provider in the cloud provider (e.g., AWS) without updating GitHub settings.** — The error originates from GitHub's side denying the token request, not the cloud provider. The cloud provider configuration is irrelevant if GitHub refuses to issue the token. (95% 失败率)
- **Remove the 'id-token: write' permission from the workflow.** — The 'id-token: write' permission is required to request an OIDC token. Removing it will cause a different error about missing permissions. (90% 失败率)