The GitHub Trust Provider supports attestation of Client Workloads identities in a GitHub Actions environment.
The GitHub Trust Provider relies on OIDC (OpenID Connect) tokens issued by GitHub. These tokens contain verifiable information about the workflow, its origin, and the triggering actor.
Match rules
Section titled “Match rules”The following match rules are available for this Trust Provider type:
| Data | Description | Example |
|---|---|---|
| actor | The GitHub account name that initiated the workflow run | user123 |
| repository | The repository where the workflow is running. It can be in the format {organization}/{repository} for organization-owned repositories or {account}/{repository} for user-owned repositories. For additional information about Repository Ownership. |
|
| workflow | The name of the GitHub Action workflow. For additional information about Workflows. | build-and-test |
For additional information about GitHub ID Token claims, please refer to GitHub OIDC Token Documentation.