Error: Failed to request OIDC token: 403 Forbidden. The workflow is not allowed to request an OIDC token for this organization due to branch protection rules.
ID: policy/github-actions-oidc-token-request-denied-by-branch-protection
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| GitHub Actions | active | — | — | — |
| GitHub Enterprise Cloud | active | — | — | — |
| GitHub Enterprise Server 3.10+ | active | — | — | — |
Root Cause
The GitHub Actions workflow is running on a branch that is protected by branch protection rules that restrict OIDC token requests (e.g., requiring pull request reviews or status checks), and the workflow is not configured to request the token from a allowed branch or environment.
generic中文
GitHub Actions 工作流在受分支保护规则(例如需要拉取请求审查或状态检查)保护的、限制 OIDC 令牌请求的分支上运行,并且工作流未配置为从允许的分支或环境请求令牌。
Official Documentation
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connectWorkarounds
-
85% success Configure the workflow to run only on branches that are not protected by the OIDC restriction, or use a GitHub environment with deployment branch policies that allow OIDC token requests. For example, add `if: github.ref == 'refs/heads/main'` to the job.
Configure the workflow to run only on branches that are not protected by the OIDC restriction, or use a GitHub environment with deployment branch policies that allow OIDC token requests. For example, add `if: github.ref == 'refs/heads/main'` to the job.
-
90% success Update the branch protection rule to allow OIDC token requests. In the GitHub repository settings, go to Settings > Branches > Branch protection rules, edit the rule, and under 'Rules applied to everyone including administrators', ensure 'Allow GitHub Actions to request OIDC tokens' is checked.
Update the branch protection rule to allow OIDC token requests. In the GitHub repository settings, go to Settings > Branches > Branch protection rules, edit the rule, and under 'Rules applied to everyone including administrators', ensure 'Allow GitHub Actions to request OIDC tokens' is checked.
-
80% success Use a GitHub environment with a deployment branch policy that includes the protected branch, and reference the environment in the workflow job (e.g., `environment: production`). This allows OIDC token requests from that environment's allowed branches.
Use a GitHub environment with a deployment branch policy that includes the protected branch, and reference the environment in the workflow job (e.g., `environment: production`). This allows OIDC token requests from that environment's allowed branches.
中文步骤
将工作流配置为仅在没有 OIDC 限制保护的分支上运行,或使用具有允许 OIDC 令牌请求的部署分支策略的 GitHub 环境。例如,将 `if: github.ref == 'refs/heads/main'` 添加到作业中。
更新分支保护规则以允许 OIDC 令牌请求。在 GitHub 仓库设置中,转到设置 > 分支 > 分支保护规则,编辑规则,并在‘适用于所有人包括管理员’下,确保选中‘允许 GitHub Actions 请求 OIDC 令牌’。
使用具有包含受保护分支的部署分支策略的 GitHub 环境,并在工作流作业中引用该环境(例如 `environment: production`)。这允许从该环境的允许分支请求 OIDC 令牌。
Dead Ends
Common approaches that don't work:
-
90% fail
Branch protection rules can explicitly block OIDC token requests from protected branches. The error is a direct result of this policy.
-
50% fail
While this would allow the OIDC token request, it removes important security controls (e.g., required reviews) and is not a viable long-term solution.
-
70% fail
The error is about OIDC token request permissions, not authentication method. Switching to PAT requires different workflow configuration and may not address the branch protection rule.