🚀 [Feature]: OIDC subject claim customization now available for organizations and repositories#563
Open
🚀 [Feature]: OIDC subject claim customization now available for organizations and repositories#563
Conversation
Copilot started work on behalf of
Marius Storhaug (MariusStorhaug)
February 25, 2026 21:27
View session
…positories Co-authored-by: MariusStorhaug <17722253+MariusStorhaug@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add support for OIDC subject claim customization
Add OIDC subject claim customization for organizations and repositories
Feb 25, 2026
Marius Storhaug (MariusStorhaug)
changed the title
Marius Storhaug (MariusStorhaug)
marked this pull request as ready for review
Marius Storhaug (MariusStorhaug)
requested a review
from a team
as a code owner
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
February 26, 2026 12:45
View session
Contributor
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions OIDC subject claim customization support to the module, enabling users to discover available OIDC claim keys and get/set OIDC subject claim templates at the organization or repository level (fixes #562).
Changes:
- Introduces
Get-GitHubOidcClaim,Get-GitHubOidcSubjectClaim, andSet-GitHubOidcSubjectClaimpublic commands. - Adds private per-endpoint implementations for org/repo GET + PUT OIDC subject-claim customization.
- Registers an argument completer for
Set-GitHubOidcSubjectClaim -IncludeClaimKeysand adds Pester coverage inActions.Tests.ps1.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/Actions.Tests.ps1 | Adds integration-style tests for OIDC claim discovery and org/repo get/set operations. |
| src/functions/public/Actions/OIDC/completers.ps1 | Adds argument completion for IncludeClaimKeys using Get-GitHubOidcClaim. |
| src/functions/public/Actions/OIDC/Set-GitHubOidcSubjectClaim.ps1 | Public setter routing to org/repo private endpoints with ShouldProcess delegated to private functions. |
| src/functions/public/Actions/OIDC/Get-GitHubOidcSubjectClaim.ps1 | Public getter routing to org/repo private endpoints. |
| src/functions/public/Actions/OIDC/Get-GitHubOidcClaim.ps1 | Implements OIDC discovery endpoint query to list supported claim keys. |
| src/functions/private/Actions/OIDC/Set-GitHubOidcSubjectClaimForRepository.ps1 | PUT repo-level subject claim customization endpoint. |
| src/functions/private/Actions/OIDC/Set-GitHubOidcSubjectClaimForOrganization.ps1 | PUT org-level subject claim customization endpoint. |
| src/functions/private/Actions/OIDC/Get-GitHubOidcSubjectClaimForRepository.ps1 | GET repo-level subject claim customization endpoint. |
| src/functions/private/Actions/OIDC/Get-GitHubOidcSubjectClaimForOrganization.ps1 | GET org-level subject claim customization endpoint. |
…stom properties, and enterprise controls
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GitHub Actions OIDC token subject claims can now be customized per organization and repository directly from the module. Three new commands provide full control over which claim keys are included in the
subfield of OIDC tokens issued to workflows, enabling fine-grained identity configuration for cloud provider trust policies.New: Discover available OIDC claim keys
Get-GitHubOidcClaimqueries the OpenID Connect discovery endpoint for a GitHub instance and returns the list of supported claim keys. No authentication is required.For GitHub Enterprise instances, pass a
Contextparameter to target the correct hostname.New: Retrieve current OIDC subject claim template
Get-GitHubOidcSubjectClaimreturns the current customization template at the organization or repository level.New: Set OIDC subject claim template
Set-GitHubOidcSubjectClaimcreates or updates the claim template. Use-UseDefaultat the repository level to reset to the organization default.The
IncludeClaimKeysparameter supports argument completion powered byGet-GitHubOidcClaim.Technical Details
Get-GitHubOidcSubjectClaimForOrganization,Get-GitHubOidcSubjectClaimForRepository,Set-GitHubOidcSubjectClaimForOrganization,Set-GitHubOidcSubjectClaimForRepositoryGET/PUT /orgs/{org}/actions/oidc/customization/sub,GET/PUT /repos/{owner}/{repo}/actions/oidc/customization/subShouldProcessis delegated from the publicSet-function to private functions, consistent with theSet-GitHubSecretpatterncompleters.ps1usingRegister-ArgumentCompleterwithCompletionModesupportActions.Tests.ps1