GitHub Actions "id-token permission not propagated to reusable workflow"
A reusable workflow inherits the caller permission set. If the caller job does not grant id-token: write, the reusable workflow cannot mint an OIDC token no matter what its own permissions block says. This is a config error.
What this error means
OIDC works in a standalone workflow but fails with a missing-token error once the same steps are moved behind a reusable workflow call.
github-actions
Error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
(called via uses: ./.github/workflows/deploy-reusable.yml)Common causes
Caller job omits id-token: write
The job that uses the reusable workflow does not grant id-token, so the inherited permission set has OIDC disabled.
Relying on the reusable file permissions alone
Permissions declared inside the reusable workflow cannot exceed what the caller grants.
How to fix it
Grant id-token on the calling job
- Add permissions with id-token: write to the job that invokes the reusable workflow.
- Keep contents: read for checkout inside the reusable workflow.
- Re-run; the reusable workflow now inherits OIDC.
.github/workflows/ci.yml (caller)
jobs:
call-deploy:
permissions:
id-token: write
contents: read
uses: ./.github/workflows/deploy-reusable.yml
secrets: inheritHow to prevent it
- Grant id-token on the caller for every reusable workflow that performs OIDC login.
- Document the required caller permissions in the reusable workflow header comment.
Related guides
GitHub Actions "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL"Fix the GitHub Actions OIDC error "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL" - the job is missing id-token:…
GitHub Actions secrets: inherit does not reach a nested reusable workflowFix secrets going missing two levels deep when the middle reusable workflow does not forward them onward.
GitHub Actions OIDC "Not authorized to perform sts:AssumeRoleWithWebIdentity"Fix the AWS OIDC error "Not authorized to perform sts:AssumeRoleWithWebIdentity" - the IAM role trust policy…