The workflow is requesting 'id-token: write', but is only allowed 'id-token: none'.

[riosje]

Select Topic Area

Bug

Body

OIDC Auth not working due to workflow permission issue

I have the following pipeline but is not running due to an error with the permissions.

I found in other posts this issue is related to Fork repos and re-usable workflows, but this is not the case.

permissions:
  issues: write
  contents: read
  id-token: write

jobs:
  runner-start:
    runs-on: ubuntu-latest
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-west-2
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
      - name: Checkout
        uses: actions/checkout@v4
        
      - name: Start Runner
        uses: ./.github/workflows/runner-starter
        with:
          instance_id: ${{ secrets.INSTANCE_ID }}
          action: 'start'

ERROR

The workflow is not valid. .github/workflows/run_all.yml (Line: 20, Col: 3): Error calling workflow 'RafaelGSS/nodejs-bench-operations/.github/workflows/bench.yml@d8c16de8267c83507f97db7553f5c3e57c87e96a'. The workflow is requesting 'id-token: write', but is only allowed 'id-token: none'.

Github Actions permissions config

Thank you for your advice here to solve this issue.

[ctdurazo]

@riosje Any luck solving this issue? I am running into something similar while transferring a repo from one org to another.

[riosje]

yes my issue was trying to pass the secret env${{ secrets.INSTANCE_ID }} via input in the reusable workflow.
If you need to pass secrets to the reusable workflow try to use secrets: inherit instead.
BTW, the error log shown has nothing to do with the actual error.

[thgoebel]

I had the same issue, with reusable workflows (uses: ./.github/workflows/runner-starter). I declared the permissions in the shared workflow, but not in the calling/parent workflow. The fix is to also declare the permissions in the calling workflow.