Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the C1 Support team if you’d like to try it out or share feedback.
The conductorone/oidc-token-action GitHub Action exchanges a GitHub Actions OIDC token for a C1 access token in a single step. No secrets to store or rotate.
Prerequisites
- A service principal with a GitHub Actions federation trust. See set up federation if you haven’t created one yet.
- The trust’s client ID (for example
swift-otter-19384@yourcompany.conductor.one/wfe)
Set up the workflow
Add the action to your workflow file. Your workflow must have id-token: write permission for GitHub to issue the OIDC token.
The action:
- Requests a GitHub OIDC token with your tenant domain as the audience
- Exchanges it for a C1 access token via token exchange
- Exports
CONDUCTORONE_ACCESS_TOKEN and CONDUCTORONE_CLIENT_ID as environment variables
- Masks the token in logs to prevent accidental exposure
- Cleans up the environment variables when the job finishes
After the action runs, CONDUCTORONE_ACCESS_TOKEN is available to all subsequent steps. Every C1 tool recognizes this variable automatically.
Cone CLI
Direct API calls
CEL expression examples
When creating the federation trust, the CEL expression controls which GitHub Actions workflows can authenticate. The expression evaluates against the GitHub OIDC token’s claims.
Restrict to a repository
Restrict to a repository and branch
Restrict to a repository and environment
Common GitHub OIDC claims
Security best practices for GitHub Actions
For production workloads, enable GitHub Environments and add an environment constraint to your CEL expression. This prevents any branch or workflow in the repo from authenticating — only jobs running in the specified environment can.
For maximum security, pin to a specific reusable workflow via job_workflow_ref:
This ensures only a specific workflow file on a specific branch can authenticate, even if other workflows in the same repo have id-token: write permission.