This Client Workload identification method is specifically designed for GitHub Action deployments.
The GitHub ID Token Subject identification method allows you to identify GitHub workflows based on their repository and triggering event. Aembit achieves this using the subject claim within the OIDC token issued by GitHub Actions.
Applicable Deployment Type
Section titled “Applicable Deployment Type”This method is suitable for GitHub-based CI/CD Workflow deployments.
Configuration
Section titled “Configuration”Aembit Cloud
Section titled “Aembit Cloud”- Create a new Client Workload.
- Choose GitHub ID Token Subject for client identification.
- Construct a subject manually using the format specified below and use it in the Value field.
The GitHub ID Token Subject method provides advanced workflow identification capabilities by allowing you to identify Client Workloads based on repository origin, triggering events (like pull requests), branches, and more. The following example is for a pull request triggered workflow:
- Format - repo:
{orgName}/{repoName}:pull_request - Example - repo:my-org/my-repo:pull_request
For more subject claims and examples, refer to the GitHub OIDC Token Documentation.
Finding the GitHub ID Token Subject:
Section titled “Finding the GitHub ID Token Subject:”You can reconstruct subject claim as follows:
- Identify the repository: Navigate to your project on GitHub. Locate the repository name displayed at the top left corner of the page.
- Determine filtering criteria: Choose the specific element you want to use for precise workflow selection: a deployment environment (e.g., “production”), a triggering event (e.g., “pull_request” or “push”), or a specific branch or tag name.
- Combine the information: Assemble the subject using the format:
repo:{organization}/{repository}:<filtering criteria>.
Alternatively, you can inspect the GitHub OIDC token to extract the subject claim. For further details, please contact Aembit.