错误:请求 OIDC 令牌失败:403 禁止。由于分支保护规则,工作流不被允许为此组织请求 OIDC 令牌。
Error: Failed to request OIDC token: 403 Forbidden. The workflow is not allowed to request an OIDC token for this organization due to branch protection rules.
ID: policy/github-actions-oidc-token-request-denied-by-branch-protection
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| GitHub Actions | active | — | — | — |
| GitHub Enterprise Cloud | active | — | — | — |
| GitHub Enterprise Server 3.10+ | active | — | — | — |
根因分析
GitHub Actions 工作流在受分支保护规则(例如需要拉取请求审查或状态检查)保护的、限制 OIDC 令牌请求的分支上运行,并且工作流未配置为从允许的分支或环境请求令牌。
English
The GitHub Actions workflow is running on a branch that is protected by branch protection rules that restrict OIDC token requests (e.g., requiring pull request reviews or status checks), and the workflow is not configured to request the token from a allowed branch or environment.
官方文档
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect解决方案
-
将工作流配置为仅在没有 OIDC 限制保护的分支上运行,或使用具有允许 OIDC 令牌请求的部署分支策略的 GitHub 环境。例如,将 `if: github.ref == 'refs/heads/main'` 添加到作业中。
-
更新分支保护规则以允许 OIDC 令牌请求。在 GitHub 仓库设置中,转到设置 > 分支 > 分支保护规则,编辑规则,并在‘适用于所有人包括管理员’下,确保选中‘允许 GitHub Actions 请求 OIDC 令牌’。
-
使用具有包含受保护分支的部署分支策略的 GitHub 环境,并在工作流作业中引用该环境(例如 `environment: production`)。这允许从该环境的允许分支请求 OIDC 令牌。
无效尝试
常见但无效的做法:
-
90% 失败
Branch protection rules can explicitly block OIDC token requests from protected branches. The error is a direct result of this policy.
-
50% 失败
While this would allow the OIDC token request, it removes important security controls (e.g., required reviews) and is not a viable long-term solution.
-
70% 失败
The error is about OIDC token request permissions, not authentication method. Switching to PAT requires different workflow configuration and may not address the branch protection rule.