We encountered a specific GitHub Actions restriction at Depot[0]: for pull_request workflows that originate from open-source forks, Actions disables access to all repository secrets and to the Actions OIDC issuer, as a security mechanism to deny untrusted code access to those secrets.<p>But we needed a way to authenticate our CLI within those public workflows. This OIDC issuer is the result of that need, and works like so:<p>1. The pull_request workflow makes a "claim request" to the OIDC issuer, claiming certain details about the workflow like the ID, run ID, repository, etc.<p>2. The OIDC issuer responds with a "challenge code" that the workflow must periodically print to its logs<p>3. The OIDC issuer connects to the GitHub Actions websocket endpoint for log streaming, validates that the challenge code is being printed, then returns a new OIDC token to the workflow<p>This is working well for us, and lets us acquire an OIDC token similar to the GitHub Actions native OIDC token. The issuer itself runs as a Cloudflare Worker.<p>Happy to answer questions and I'd love any feedback you may have!<p>[0] <a href="https://depot.dev">https://depot.dev</a>