GitHub ActionsのOIDCトークンにおけるsubjectクレームの不変化

GitHub Actions OIDC tokens now include immutable identifiers in the default sub (subject) claim for new repositories. This change strengthens the security of OIDC-based trust between your GitHub Actions workflows and cloud providers like AWS, Azure, and GCP.

Previously, the default subject claim used only mutable names (e.g., repo:octocat/my-repo:ref:refs/heads/main). If a repository or organization name was recycled, a new owner could mint tokens with the same subject claim, potentially gaining unauthorized access to cloud resources that still trusted the original identity. The new format appends immutable owner and repository IDs to the claim (e.g., repo:octocat-123456/my-repo-456789:ref:refs/heads/main), ensuring each claim is permanently tied to the original repository.

What’s changing

All repositories created after June 18, 2026 will automatically use the new immutable subject claim format.

Repository renames and transfers after June 18, 2026 will also adopt the new format.

Existing repositories won’t be affected unless you explicitly opt in.

Opt-in for existing repositories

You can adopt the new format for your existing repositories today using a new toggle in the repository or organization OIDC settings UI and API. A new preview endpoint also lets you see exactly what your subject claim prefix will look like under the new format, so you can update your cloud provider trust policies with confidence.

Timeline

Now: You can opt in at the organization or repository level

June 18, 2026: GitHub will automatically enforce the new format for all new repositories and renames.

This change only applies to github.com and does not impact GitHub Enterprise Server (GHES).

To learn more, see the OIDC documentation.

The post Immutable subject claims for GitHub Actions OIDC tokens appeared first on The GitHub Blog.