Custom Properties in OIDC Tokens

GitHub Actions OIDC tokens now support repository custom properties as claims. Organization and enterprise admins can select custom properties to include in OIDC tokens, which are automatically prefixed with repo_property_ in the token claims. This allows repositories to inherit cloud access policies based on their GitHub metadata without requiring static allow lists or per-repository workflow modifications.

Key Benefits

Eliminate duplication: Governance metadata is centralized and flows automatically into cloud policies across AWS, Azure, GCP, and other providers.

Reduce configuration drift: Policies bind directly to repository attributes, staying accurate as your organization evolves.

Accelerate onboarding: New repositories automatically inherit the correct access policies based on their configured properties.

Consistent cross-cloud policies: Transform existing GitHub metadata into actionable control surfaces for managed identities across multiple cloud providers.

What's Available Now

• Add repository custom properties to OIDC tokens via the API or new settings UI
• Use custom properties in the subject claim for flexible policy targeting
• View and manage OIDC token claim configuration at the repository, organization, and enterprise level
• Reference custom property claims in cloud provider trust policies to control access based on repository attributes

The new settings page is available in public preview, making it easy to configure OIDC token claims directly from your GitHub settings without requiring API calls.