Changelog

New updates and improvements to Argos.

Follow us on X.com
← All posts

Secure GitHub Actions authentication

GitHub OIDC and tokenless authentication

Argos can now authenticate GitHub Actions uploads without storing a long-lived ARGOS_TOKEN secret in your repository.

With GitHub OIDC, each workflow run receives a short-lived identity token signed by GitHub. Argos verifies the token against the linked repository and workflow, then accepts the upload with credentials scoped to that build.

For workflows where GitHub does not issue OIDC tokens, especially pull requests from forks, the SDK falls back to a more secure tokenless flow. Argos verifies the in-progress workflow run through the GitHub API before issuing a short-lived token.

  • OIDC where available: Enable GitHub OIDC in Project Settings -> Authentication, add id-token: write to your workflow permissions, and remove ARGOS_TOKEN from the job.
  • No long-lived CI secret: Uploads use GitHub-signed identity and short-lived scoped credentials instead of a reusable Argos token.
  • Safer tokenless fallback: Forked pull requests and public repositories can still upload without secrets while Argos checks the repository, commit, branch, and workflow run.
  • One workflow for every PR: Internal PRs use OIDC, while forked PRs fall back to tokenless automatically when OIDC is unavailable.

Learn more in the GitHub OIDC documentation and the GitHub tokenless documentation.