GitHub Actions OIDC id-token Missing in a Reusable Workflow
A cloud login that relies on OIDC fails inside a reusable workflow because id-token: write was not granted by the caller, or the called workflow narrowed permissions below what the OIDC step needs.
What this error means
The OIDC token request fails with a permission error when the login step runs in a called workflow, even though the same step works in a standalone workflow.
Actions log
Error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
# the caller did not grant id-token: write to the reusable workflowCommon causes
Caller did not grant id-token: write
Permissions for a reusable workflow are bounded by the caller. If the calling job does not grant id-token: write, the called workflow cannot request an OIDC token.
Called workflow narrowed permissions
A permissions block inside the called workflow can only reduce, never expand. Omitting id-token there (or setting it to none) blocks the OIDC step.
How to fix it
Grant id-token: write in the caller
.github/workflows/release.yml
# caller
jobs:
deploy:
permissions:
id-token: write
contents: read
uses: ./.github/workflows/cloud-deploy.ymlKeep id-token in the called workflow scope
- Ensure the called workflow does not drop id-token from its permissions.
- Remember the effective permission is the intersection of caller and callee.
- Verify the cloud trust policy accepts the called-workflow subject claim.
How to prevent it
- Grant id-token: write at the caller job that uses a reusable OIDC workflow.
- Do not narrow id-token away inside the reusable workflow.
- Confirm the OIDC subject claim matches your cloud trust policy.
Related guides
GitHub Actions SARIF Upload Fails - security-events: write MissingFix GitHub Actions code-scanning SARIF upload failures - the upload step needs security-events: write, which…
GitHub Actions Reusable Workflow "secret not defined" - Declare in workflow_callFix GitHub Actions reusable workflow secret errors - passing a secret the called workflow never declared unde…
GitHub Actions Environment Secrets Empty Without environment: on the JobFix GitHub Actions environment secrets coming through empty - environment-scoped secrets only load when the j…