From d10604c60ba19712ccdb5147462157999b9bb5e1 Mon Sep 17 00:00:00 2001 From: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Date: Fri, 30 Jan 2026 08:32:06 +0000 Subject: [PATCH 1/2] Raw tag rendering fix (#59339) --- .../security-harden-deployments/oidc-in-azure.md | 3 --- .../oidc-in-google-cloud-platform.md | 4 ---- .../security-harden-deployments/oidc-in-jfrog.md | 4 ---- 3 files changed, 11 deletions(-) diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md index b0b18fa97c70..5ca1a95aba0c 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md @@ -77,7 +77,6 @@ The [`azure/login`](https://github.com/Azure/login) action receives a JWT from t The following example exchanges an OIDC ID token with Azure to receive an access token, which can then be used to access cloud resources. -{% raw %} ```yaml copy {% data reusables.actions.actions-not-certified-by-github-comment %} @@ -104,8 +103,6 @@ jobs: az group list ``` - {% endraw %} - ## Further reading {% data reusables.actions.oidc-further-reading %} diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md index 3be5346d0650..e67aec64de0b 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md @@ -78,8 +78,6 @@ This example has a job called `Get_OIDC_ID_token` that uses actions to request a This action exchanges a {% data variables.product.prodname_dotcom %} OIDC token for a Google Cloud access token, using [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation). -{% raw %} - ```yaml copy {% data reusables.actions.actions-not-certified-by-github-comment %} name: List services in GCP @@ -109,8 +107,6 @@ jobs: gcloud services list ``` -{% endraw %} - ## Further reading {% data reusables.actions.oidc-further-reading %} diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-jfrog.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-jfrog.md index 4035faf000aa..a93c76b01d41 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-jfrog.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-jfrog.md @@ -55,8 +55,6 @@ In your {% data variables.product.prodname_actions %} workflow file, ensure you The following example uses the placeholders `YOUR_PROVIDER_NAME` and `YOUR_AUDIENCE`. -{% raw %} - ```yaml {% data reusables.actions.actions-not-certified-by-github-comment %} permissions: @@ -80,8 +78,6 @@ jobs: ``` -{% endraw %} - > [!TIP] > When OIDC authentication is used, the `setup-jfrog-cli` action automatically provides `oidc-user` and `oidc-token` as step outputs. > These can be used for other integrations that require authentication with JFrog. From 1e23324385ad52a0d7c1f7ea135a9e96016896bf Mon Sep 17 00:00:00 2001 From: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Date: Fri, 30 Jan 2026 08:32:45 +0000 Subject: [PATCH 2/2] Adds OIDC Octopus Deploy guide (#59340) Co-authored-by: Rob E Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../security-harden-deployments/index.md | 1 + .../oidc-in-octopus-deploy.md | 80 +++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-octopus-deploy.md diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/index.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/index.md index 53e36e2bffa3..ce6a5037665f 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/index.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/index.md @@ -16,6 +16,7 @@ children: - /oidc-in-google-cloud-platform - /oidc-in-hashicorp-vault - /oidc-in-jfrog + - /oidc-in-octopus-deploy - /oidc-in-pypi - /oidc-in-cloud-providers - /oidc-with-reusable-workflows diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-octopus-deploy.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-octopus-deploy.md new file mode 100644 index 000000000000..ebab64064359 --- /dev/null +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-octopus-deploy.md @@ -0,0 +1,80 @@ +--- +title: Configuring OpenID Connect in Octopus Deploy +shortTitle: OIDC in Octopus Deploy +intro: Use OpenID Connect within your workflows to authenticate with Octopus Deploy. +versions: + fpt: '*' + ghec: '*' +type: tutorial +topics: + - Security + - Actions +--- + +## Overview + +OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to authenticate with [Octopus Deploy](https://octopus.com/) to push packages, create releases or trigger deployments without storing Octopus Deploy passwords or API keys as long-lived {% data variables.product.prodname_dotcom %} secrets. + +This guide provides an overview of how to configure Octopus Deploy to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and includes a workflow example for the [`octopusdeploy/login`](https://github.com/OctopusDeploy/login) action that uses tokens to authenticate to your Octopus Deploy instance. + +## Prerequisites + +{% data reusables.actions.oidc-link-to-intro %} + +{% data reusables.actions.oidc-security-notice %} + +{% data reusables.actions.oidc-on-ghecom %} + +## Adding the identity provider to Octopus Deploy + +To use OIDC with Octopus Deploy, first establish a trust relationship between {% data variables.product.prodname_actions %} and your Octopus Deploy instance. For more information about this process, see [Using OpenID Connect with the Octopus API](https://octopus.com/docs/octopus-rest-api/openid-connect) in the Octopus Deploy documentation. + +1. Sign in to your Octopus Deploy instance. +1. Create or open the Service Account that will be granted access via the token request. +1. Configure a new OIDC Identity, defining the relevant subject that the {% data variables.product.prodname_actions %} workflow token request will be validated against. + +## Updating your {% data variables.product.prodname_actions %} workflow + +To update your workflows for OIDC, you will need to make two changes to your YAML: +1. Add permissions settings for the token. +1. Use the [`OctopusDeploy/login`](https://github.com/OctopusDeploy/login) action to exchange the OIDC token (JWT) for a cloud access token. + +{% data reusables.actions.oidc-deployment-protection-rules %} + +### Adding permissions settings + +{% data reusables.actions.oidc-permissions-token %} + +### Requesting the access token + +The [`OctopusDeploy/login`](https://github.com/OctopusDeploy/login) action receives a JWT from the {% data variables.product.prodname_dotcom %} OIDC provider, and then requests an access token from your Octopus Server instance. For more information, see the [`OctopusDeploy/login`](https://github.com/OctopusDeploy/login) documentation. + +The following example exchanges an OIDC ID token with your Octopus Deploy instance to receive an access token, which can then be used to access your Octopus Deploy resources. Be sure to replace the `server` and `service_account_id` details appropriately for your scenario. + +```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} + +jobs: + create_release_in_octopus: + runs-on: ubuntu-latest + name: Create a release in Octopus + permissions: + # You might need to add other permissions here like `contents: read` depending on what else your job needs to do + id-token: write # This is required to obtain an ID token from GitHub Actions for the job + steps: + - name: Login to Octopus + uses: OctopusDeploy/login@34b6dcc1e86fa373c14e6a28c5507d221e4de629 #v1.0.2 + with: + server: https://my.octopus.app + service_account_id: 5be4ac10-2679-4041-a8b0-7b05b445e19e + + - name: Create a release in Octopus + uses: OctopusDeploy/create-release-action@fe13cc69c1c037cb7bb085981b152f5e35257e1f #v3.2.2 + with: + space: Default + project: My Octopus Project +``` + +## Further reading + +{% data reusables.actions.oidc-further-reading %} \ No newline at end of file