New GitHub Actions OIDC token claims

GitHub Actions OpenID Connect (OIDC) token claims now include check_run_id

This enhancement enables fine-grained, attribute-based access control and improves auditability for workflows that integrate with external services. Platform teams often need to correlate an OIDC token back to the specific job and compute that generated it for compliance and traceability. For example, when workflows call internal services hosted on Azure, teams need to link the token to the job run for auditing. Previously, the token lacked a way to identify the exact job. With check_run_id alongside existing claims like run_id and run_attempt, you can now:

Trace tokens to the exact job and compute that executed the request.
Implement least-privilege policies without enumerating every repository.
Reduce secret exposure risk and accelerate revocation.
Improve compliance and audit workflows by mapping access to governed repository states.

For more information on OIDC and how to configure the token, see our documentation.

JUN.12Retired
GitHub Actions: Minimum version enforcement timeline for self-hosted runners
- Actions
JUN.11Improvement
Bot-created pull requests can run workflows if approved
- Actions
JUN.11Release
New runner images in public preview
- Actions
JUN.11Release
GitHub Agentic Workflows is now in public preview
- Actions
MAY.14Improvement
GitHub Actions: Upcoming image migrations
- Actions
MAY.7Improvement
GitHub Actions concurrency groups now allow larger queues
- Actions
APR.27Improvement
Copilot cloud agent starts 20% faster with Actions custom images
- Actions
APR.27Release
GitHub Copilot code review will start consuming GitHub Actions minutes on June 1, 2026
- Actions
APR.24Improvement
Notice about upcoming new format for GitHub App installation tokens
- Actions

New GitHub Actions OIDC token claims

Related Posts

Subscribe to our developer newsletter