Skip to content
Latchkey

GitHub Actions "id-token permission not propagated to reusable workflow"

A reusable workflow inherits the caller permission set. If the caller job does not grant id-token: write, the reusable workflow cannot mint an OIDC token no matter what its own permissions block says. This is a config error.

What this error means

OIDC works in a standalone workflow but fails with a missing-token error once the same steps are moved behind a reusable workflow call.

github-actions
Error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
(called via uses: ./.github/workflows/deploy-reusable.yml)

Common causes

Caller job omits id-token: write

The job that uses the reusable workflow does not grant id-token, so the inherited permission set has OIDC disabled.

Relying on the reusable file permissions alone

Permissions declared inside the reusable workflow cannot exceed what the caller grants.

How to fix it

Grant id-token on the calling job

  1. Add permissions with id-token: write to the job that invokes the reusable workflow.
  2. Keep contents: read for checkout inside the reusable workflow.
  3. Re-run; the reusable workflow now inherits OIDC.
.github/workflows/ci.yml (caller)
jobs:
  call-deploy:
    permissions:
      id-token: write
      contents: read
    uses: ./.github/workflows/deploy-reusable.yml
    secrets: inherit

How to prevent it

  • Grant id-token on the caller for every reusable workflow that performs OIDC login.
  • Document the required caller permissions in the reusable workflow header comment.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →