GitHub Actions OIDC 的 REST API 终结点

关于 GitHub Actions OIDC

你可以使用 REST API 为 OpenID Connect (OIDC) 主题声明查询与管理自定义模板。有关详细信息，请参阅“OpenID Connect”。

List OIDC custom property inclusions for an enterprise

Lists the repository custom properties that are included in the OIDC token for repository actions in an enterprise.

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Enterprise administration" enterprise permissions (read)

“”List OIDC custom property inclusions for an enterprise 的参数

标头
名称, 类型, 说明
`accept` string Setting to `application/vnd.github+json` is recommended.

路径参数
名称, 类型, 说明
`enterprise` string 必须 The slug version of the enterprise name.

http_status_code

status_code	说明
`200`	A JSON array of OIDC custom property inclusions
`403`	Forbidden
`404`	Resource not found

code_samples

request_example

get/enterprises/{enterprise}/actions/oidc/customization/properties/repo

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/enterprises/ENTERPRISE/actions/oidc/customization/properties/repo

A JSON array of OIDC custom property inclusions

Status: 200

[
  {
    "custom_property_name": "environment",
    "inclusion_source": "enterprise"
  },
  {
    "custom_property_name": "team",
    "inclusion_source": "enterprise"
  }
]

Create an OIDC custom property inclusion for an enterprise

Adds a repository custom property to be included in the OIDC token for repository actions in an enterprise.

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Enterprise administration" enterprise permissions (write)

“”Create an OIDC custom property inclusion for an enterprise 的参数

标头
名称, 类型, 说明
`accept` string Setting to `application/vnd.github+json` is recommended.

路径参数
名称, 类型, 说明
`enterprise` string 必须 The slug version of the enterprise name.

主体参数
名称, 类型, 说明
`custom_property_name` string 必须 The name of the custom property to include in the OIDC token

http_status_code

status_code	说明
`201`	OIDC custom property inclusion created
`400`	Invalid input
`403`	Forbidden
`422`	Property inclusion already exists

code_samples

request_example

post/enterprises/{enterprise}/actions/oidc/customization/properties/repo

curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/enterprises/ENTERPRISE/actions/oidc/customization/properties/repo \
  -d '{"custom_property_name":"environment"}'

OIDC custom property inclusion created

Status: 201

{
  "custom_property_name": "environment"
}

Delete an OIDC custom property inclusion for an enterprise

Removes a repository custom property from being included in the OIDC token for repository actions in an enterprise.

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Enterprise administration" enterprise permissions (write)

“”Delete an OIDC custom property inclusion for an enterprise 的参数

标头
名称, 类型, 说明
`accept` string Setting to `application/vnd.github+json` is recommended.

路径参数
名称, 类型, 说明
`enterprise` string 必须 The slug version of the enterprise name.
`custom_property_name` string 必须 The name of the custom property to remove from OIDC token inclusion

http_status_code

status_code	说明
`204`	OIDC custom property inclusion deleted
`400`	Invalid input
`403`	Forbidden
`404`	Property inclusion not found

code_samples

request_example

delete/enterprises/{enterprise}/actions/oidc/customization/properties/repo/{custom_property_name}

curl -L \
  -X DELETE \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/enterprises/ENTERPRISE/actions/oidc/customization/properties/repo/CUSTOM_PROPERTY_NAME

OIDC custom property inclusion deleted

Status: 204

List OIDC custom property inclusions for an organization

Lists the repository custom properties that are included in the OIDC token for repository actions in an organization.

OAuth app tokens and personal access tokens (classic) need the read:org scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Administration" organization permissions (read)

“”List OIDC custom property inclusions for an organization 的参数

标头
名称, 类型, 说明
`accept` string Setting to `application/vnd.github+json` is recommended.

路径参数
名称, 类型, 说明
`org` string 必须 The organization name. The name is not case sensitive.

http_status_code

status_code	说明
`200`	A JSON array of OIDC custom property inclusions
`403`	Forbidden
`404`	Resource not found

code_samples

request_example

get/orgs/{org}/actions/oidc/customization/properties/repo

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/orgs/ORG/actions/oidc/customization/properties/repo

A JSON array of OIDC custom property inclusions

Status: 200

[
  {
    "property_name": "environment"
  },
  {
    "property_name": "team"
  }
]

Create an OIDC custom property inclusion for an organization

Adds a repository custom property to be included in the OIDC token for repository actions in an organization.

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Administration" organization permissions (write)

“”Create an OIDC custom property inclusion for an organization 的参数

标头
名称, 类型, 说明
`accept` string Setting to `application/vnd.github+json` is recommended.

路径参数
名称, 类型, 说明
`org` string 必须 The organization name. The name is not case sensitive.

主体参数
名称, 类型, 说明
`custom_property_name` string 必须 The name of the custom property to include in the OIDC token

http_status_code

status_code	说明
`201`	OIDC custom property inclusion created
`400`	Invalid input
`403`	Forbidden
`422`	Property inclusion already exists

code_samples

request_example

post/orgs/{org}/actions/oidc/customization/properties/repo

curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/orgs/ORG/actions/oidc/customization/properties/repo \
  -d '{"custom_property_name":"environment"}'

OIDC custom property inclusion created

Status: 201

{
  "custom_property_name": "environment"
}

Delete an OIDC custom property inclusion for an organization

Removes a repository custom property from being included in the OIDC token for repository actions in an organization.

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Administration" organization permissions (write)

“”Delete an OIDC custom property inclusion for an organization 的参数

标头
名称, 类型, 说明
`accept` string Setting to `application/vnd.github+json` is recommended.

路径参数
名称, 类型, 说明
`org` string 必须 The organization name. The name is not case sensitive.
`custom_property_name` string 必须 The name of the custom property to remove from OIDC token inclusion

http_status_code

status_code	说明
`204`	OIDC custom property inclusion deleted
`400`	Invalid input
`403`	Forbidden
`404`	Property inclusion not found

code_samples

request_example

delete/orgs/{org}/actions/oidc/customization/properties/repo/{custom_property_name}

curl -L \
  -X DELETE \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/orgs/ORG/actions/oidc/customization/properties/repo/CUSTOM_PROPERTY_NAME

OIDC custom property inclusion deleted

Status: 204

Get the customization template for an OIDC subject claim for an organization

Gets the customization template for an OpenID Connect (OIDC) subject claim.

OAuth app tokens and personal access tokens (classic) need the read:org scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Administration" organization permissions (read)

“”Get the customization template for an OIDC subject claim for an organization 的参数

标头
名称, 类型, 说明
`accept` string Setting to `application/vnd.github+json` is recommended.

路径参数
名称, 类型, 说明
`org` string 必须 The organization name. The name is not case sensitive.

http_status_code

status_code	说明
`200`	A JSON serialized template for OIDC subject claim customization

code_samples

request_example

get/orgs/{org}/actions/oidc/customization/sub

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/orgs/ORG/actions/oidc/customization/sub

A JSON serialized template for OIDC subject claim customization

Status: 200

{
  "include_claim_keys": [
    "repo",
    "context"
  ]
}

Set the customization template for an OIDC subject claim for an organization

Creates or updates the customization template for an OpenID Connect (OIDC) subject claim.

OAuth app tokens and personal access tokens (classic) need the write:org scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Administration" organization permissions (write)

“”Set the customization template for an OIDC subject claim for an organization 的参数

标头
名称, 类型, 说明
`accept` string Setting to `application/vnd.github+json` is recommended.

路径参数
名称, 类型, 说明
`org` string 必须 The organization name. The name is not case sensitive.

主体参数
名称, 类型, 说明
`include_claim_keys` array of strings Array of unique strings. Each claim key can only contain alphanumeric characters and underscores.
`use_immutable_subject` boolean Whether to opt in to the immutable OIDC subject claim format for the organization. When `true`, new OIDC tokens will use a stable, repository-ID-based `sub` claim instead of the name-based format.

http_status_code

status_code	说明
`201`	Empty response
`403`	Forbidden
`404`	Resource not found

code_samples

request_example

put/orgs/{org}/actions/oidc/customization/sub

curl -L \
  -X PUT \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/orgs/ORG/actions/oidc/customization/sub \
  -d '{"include_claim_keys":["repo","context"]}'

Empty response

Status: 201

Get the customization template for an OIDC subject claim for a repository

Gets the customization template for an OpenID Connect (OIDC) subject claim.

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Actions" repository permissions (read)

allows_public_read_access

“”Get the customization template for an OIDC subject claim for a repository 的参数

标头
名称, 类型, 说明
`accept` string Setting to `application/vnd.github+json` is recommended.

路径参数
名称, 类型, 说明
`owner` string 必须 The account owner of the repository. The name is not case sensitive.
`repo` string 必须 The name of the repository without the `.git` extension. The name is not case sensitive.

http_status_code

status_code	说明
`200`	Status response
`400`	Bad Request
`404`	Resource not found

code_samples

request_example

get/repos/{owner}/{repo}/actions/oidc/customization/sub

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/actions/oidc/customization/sub

Status response

Status: 200

{
  "use_default": false,
  "include_claim_keys": [
    "repo",
    "context"
  ]
}

Set the customization template for an OIDC subject claim for a repository

Sets the customization template and opt-in or opt-out flag for an OpenID Connect (OIDC) subject claim for a repository.

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Actions" repository permissions (write)

“”Set the customization template for an OIDC subject claim for a repository 的参数

标头
名称, 类型, 说明
`accept` string Setting to `application/vnd.github+json` is recommended.

路径参数
名称, 类型, 说明
`owner` string 必须 The account owner of the repository. The name is not case sensitive.
`repo` string 必须 The name of the repository without the `.git` extension. The name is not case sensitive.

主体参数
名称, 类型, 说明
`use_default` boolean 必须 Whether to use the default template or not. If `true`, the `include_claim_keys` field is ignored.
`include_claim_keys` array of strings Array of unique strings. Each claim key can only contain alphanumeric characters and underscores.
`use_immutable_subject` boolean Whether to opt in to the immutable OIDC subject claim format for this repository. When `true`, OIDC tokens will use a stable, repository-ID-based `sub` claim.

http_status_code

status_code	说明
`201`	Empty response
`400`	Bad Request
`404`	Resource not found
`422`	Validation failed, or the endpoint has been spammed.

code_samples

request_example

put/repos/{owner}/{repo}/actions/oidc/customization/sub

curl -L \
  -X PUT \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/actions/oidc/customization/sub \
  -d '{"use_default":false,"include_claim_keys":["repo","context"]}'

Empty response

Status: 201