actions/deploy-pages
1
0
Fork 0
mirror of https://github.com/actions/deploy-pages.git synced 2025-12-08 08:06:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Fabian Aguilar Gomez
2024-05-22 13:56:05 -05:00
committed by GitHub
parent 277bb4bf94
commit b8d7a0e861
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@@ -83,6 +83,13 @@ There are a few important considerations to be aware of:
5. If your Pages site is using GitHub Actions as the source, while not required we highly recommend you also [protect your environment][environment-protection] (we will configure it by default for you). 5. If your Pages site is using GitHub Actions as the source, while not required we highly recommend you also [protect your environment][environment-protection] (we will configure it by default for you).
### OICD
When we invoke a job using GitHub Actions the job requests an OICD token from GitHub's OICD provider which responds with a JSON web token (JWT), each token is unique to each workflow job [learn more about OICD tokens](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token).
OICD tokens are minted in the in the context of an Action job which help form a trust relationship between GitHub and a third-party (e.g. AWS or Azure) to determine if there's anything to be done. Hence, there is no "permissions" associated with the token itself. For GitHub Pages use cases we allow `id-token: write` to allow the `GITHUB-TOKEN` to make API calls to generate an OICD for us which
results in the former statement.
A common misconception is that the OICD tokens we generate are "dangerous" this is not the case! What **can be** is what we allow a third-party to do with the OICD token that was minted for us! Another common issue is accessing the REST endpoints from Actions. The GitHub Pages calls to our endpoints from a job perspective are **only** accessible from the Actions API as of today.
## Compatibility ## Compatibility
This action is primarily designed for use with GitHub.com's Actions workflows and Pages deployments. However, certain releases should also be compatible with GitHub Enterprise Server (GHES) `3.7` and above. This action is primarily designed for use with GitHub.com's Actions workflows and Pages deployments. However, certain releases should also be compatible with GitHub Enterprise Server (GHES) `3.7` and above.