CurrentStack
#devops#ci/cd#security#identity#cloud

GitHub Actions OIDC Custom Properties: A Practical ABAC Playbook for 2026

GitHub’s April update for Actions adds a change many platform teams have wanted for years: repository custom properties now appear as OIDC token claims. Combined with cloud IAM condition keys, this finally enables practical attribute-based access control (ABAC) for CI pipelines without managing endless repository allowlists.

Reference: https://github.blog/changelog/2026-04-02-github-actions-early-april-2026-updates/.

Why this matters now

Most enterprises still model CI trust with one of these patterns:

  1. Per-repo cloud roles, which scales badly.
  2. Shared broad roles, which increases blast radius.
  3. Static credentials, which should already be retired.

Custom property claims shift trust from “which repository name is calling” to “what governance attributes this repository has.” That aligns better with how security and platform teams actually classify systems.

The core model

Define repository custom properties in GitHub, for example:

  • data_classification: public, internal, restricted
  • runtime_tier: dev, staging, prod
  • owner_domain: payments, growth, platform
  • compliance_scope: none, soc2, pci

Then issue cloud permissions from these attributes, not from repository strings. In AWS, Azure, and GCP this maps naturally to OIDC subject and custom claim conditions.

Migration pattern that minimizes risk

Phase 1: Observe-only

  • Add custom properties to top 20 critical repositories.
  • Keep existing trust policies.
  • Log OIDC claims and detect missing/invalid values.

Phase 2: Dual-policy

  • Keep repo-name matching in place.
  • Add ABAC condition checks in parallel.
  • Alert on any workflow that passes old checks but fails attribute checks.

Phase 3: Attribute-first

  • Remove repository name allowlists from trust policies.
  • Keep emergency break-glass role for incident response.
  • Enforce property review in repo creation templates.

Governance controls you should add

1) Property schema ownership

Treat repository properties as security-relevant metadata. Store allowed values in a central schema and version it. Platform engineering should not silently change compliance values.

2) Drift detection

Run a daily job that compares:

  • expected values from your repo registry
  • actual values in GitHub
  • claims observed in cloud audit logs

If these diverge, access policy integrity is already compromised.

3) Deployment class boundaries

Use runtime class as a hard gate:

  • runtime_tier=prod may assume production deploy roles.
  • non-prod tiers receive read-only or sandbox-scoped credentials.

This is a straightforward way to block accidental privilege carryover.

Where teams get stuck

Overloading one property

Do not encode multiple meanings in one field (criticality-prod-pci). Keep properties atomic so policy expressions stay readable.

Missing fallback design

When claims are missing, some teams fail open by mistake. Make all trust policies fail closed and provide one explicit emergency route with ticketed approval.

No ownership workflow

If any maintainer can edit compliance properties, ABAC becomes decorative. Require approval from designated owners for high-impact properties.

Operational metrics to track

  • Role count reduction over time
  • Percentage of workflows using OIDC-only auth
  • Policy evaluation failures by property
  • Mean time to remediate property drift
  • Number of broad wildcard IAM statements removed

These metrics let you show both risk reduction and operational simplification.

Example rollout in a mid-size org

A 200-repository organization typically reaches meaningful impact in 6-8 weeks:

  • Week 1-2: property taxonomy and ownership model
  • Week 3-4: cloud policy scaffolding and dual-policy mode
  • Week 5-6: migrate critical deploy repositories
  • Week 7-8: remove legacy name-based trust and document incident path

The result is fewer IAM artifacts, clearer governance boundaries, and a CI trust model that can keep pace with repository growth.

Closing

OIDC with custom repository properties is not just a quality-of-life improvement. It is the missing bridge between source-control governance and cloud authorization. Teams that move now can reduce both credential risk and policy maintenance cost before their AI-driven automation footprint doubles again.

Recommended for you

← Back to Stories