Skip to content

🚀 [Feature]: OIDC subject claim customization now available for organizations and repositories #563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Copilot wants to merge 6 commits into
base: main
Choose a base branch
from
+845 −0
Open

🚀 [Feature]: OIDC subject claim customization now available for organizations and repositories #563

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8d1b1d9
Initial plan
Copilot Feb 25, 2026
5484bfe
Add OIDC subject claim customization support for organizations and re…
Copilot Feb 25, 2026
7f5c856
🩹 [Patch]: Update OIDC subject claim documentation links for consistency
MariusStorhaug Feb 26, 2026
78af530
🩹 [Patch]: Refactor OIDC tests to improve context handling and reposi…
MariusStorhaug Feb 26, 2026
8bd1d8e
🩹 [Patch]: Add new fine-grained permissions for artifact metadata, cu…
MariusStorhaug Feb 26, 2026
d159e59
Refactor OIDC test context usage for improved readability and consist…
MariusStorhaug Feb 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
155 changes: 155 additions & 0 deletions src/classes/public/GitHubPermission.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -487,6 +487,19 @@
'Fine-grained',
'Repository'
),
[GitHubPermission]::new(
'artifact_metadata',
'Artifact metadata',
'Manage artifact attestation metadata for a repository.',
'https://docs.github.com/rest/overview/permissions-required-for-github-apps' +
'#repository-permissions-for-artifact-metadata',
@(
'read',
'write'
),
'Fine-grained',
'Repository'
),

# ------------------------------
# Organization Fine-Grained Permission Definitions
Expand Down Expand Up @@ -569,6 +582,19 @@
'Fine-grained',
'Organization'
),
[GitHubPermission]::new(
'custom_properties_for_organizations',
'Custom properties for organizations',
'Read and write custom properties for organizations.',
'https://docs.github.com/rest/overview/permissions-required-for-github-apps' +
'#organization-permissions-for-custom-properties-for-organizations',
@(
'read',
'write'
),
'Fine-grained',
'Organization'
),
[GitHubPermission]::new(
'organization_custom_roles',
'Custom repository roles',
Expand Down Expand Up @@ -607,6 +633,31 @@
'Fine-grained',
'Organization'
),
[GitHubPermission]::new(
'organization_copilot_metrics',
'Copilot metrics',
'View Copilot usage metrics for an organization.',
'https://docs.github.com/rest/overview/permissions-required-for-github-apps' +
'#organization-permissions-for-copilot-metrics',
@(
'read'
),
'Fine-grained',
'Organization'
),
[GitHubPermission]::new(
'organization_credentials',
'Organization credentials',
'Manage credentials for an organization.',
'https://docs.github.com/rest/overview/permissions-required-for-github-apps' +
'#organization-permissions-for-organization-credentials',
@(
'read',
'write'
),
'Fine-grained',
'Organization'
),
[GitHubPermission]::new(
'issue_fields',
'Issue Fields',
Expand Down Expand Up @@ -762,6 +813,19 @@
'Fine-grained',
'Organization'
),
[GitHubPermission]::new(
'organization_dependabot_dismissal_requests',
'Organization Dependabot dismissal requests',
'Review and manage Dependabot alert dismissal requests for an organization.',
'https://docs.github.com/rest/overview/permissions-required-for-github-apps' +
'#organization-permissions-for-organization-dependabot-dismissal-requests',
@(
'read',
'write'
),
'Fine-grained',
'Organization'
),
[GitHubPermission]::new(
'organization_code_scanning_dismissal_requests',
'Organization dismissal requests for code scanning',
Expand Down Expand Up @@ -879,6 +943,19 @@
'Fine-grained',
'Organization'
),
[GitHubPermission]::new(
'organization_runner_custom_images',
'Runner custom images',
'View and manage custom images for self-hosted runners available to an organization.',
'https://docs.github.com/rest/overview/permissions-required-for-github-apps' +
'#organization-permissions-for-runner-custom-images',
@(
'read',
'write'
),
'Fine-grained',
'Organization'
),
[GitHubPermission]::new(
'team_discussions',
'Team discussions',
Expand Down Expand Up @@ -1259,6 +1336,84 @@
),
'Fine-grained',
'Enterprise'
),
[GitHubPermission]::new(
'enterprise_ai_controls',
'Enterprise AI controls',
'Manage AI controls at the enterprise level.',
'https://docs.github.com/enterprise-cloud@latest/rest/overview/permissions-required-for-github-apps' +
'#enterprise-permissions-for-enterprise-ai-controls',
@(
'read',
'write'
),
'Fine-grained',
'Enterprise'
),
[GitHubPermission]::new(
'enterprise_copilot_metrics',
'Enterprise Copilot metrics',
'View Copilot usage metrics at the enterprise level.',
'https://docs.github.com/enterprise-cloud@latest/rest/overview/permissions-required-for-github-apps' +
'#enterprise-permissions-for-enterprise-copilot-metrics',
@(
'read'
),
'Fine-grained',
'Enterprise'
),
[GitHubPermission]::new(
'enterprise_credentials',
'Enterprise credentials',
'Manage credentials at the enterprise level.',
'https://docs.github.com/enterprise-cloud@latest/rest/overview/permissions-required-for-github-apps' +
'#enterprise-permissions-for-enterprise-credentials',
@(
'read',
'write'
),
'Fine-grained',
'Enterprise'
),
[GitHubPermission]::new(
'enterprise_custom_enterprise_roles',
'Custom enterprise roles',
'Create, edit, delete and list custom enterprise roles.',
'https://docs.github.com/enterprise-cloud@latest/rest/overview/permissions-required-for-github-apps' +
'#enterprise-permissions-for-custom-enterprise-roles',
@(
'read',
'write'
),
'Fine-grained',
'Enterprise'
),
[GitHubPermission]::new(
'enterprise_custom_properties_for_organizations',
'Custom properties for organizations',
'View repository custom properties and administer definitions for enterprise organizations.',
'https://docs.github.com/enterprise-cloud@latest/rest/overview/permissions-required-for-github-apps' +
'#enterprise-permissions-for-custom-properties-for-organizations',
@(
'read',
'write',
'admin'
),
'Fine-grained',
'Enterprise'
),
[GitHubPermission]::new(
'enterprise_teams',
'Enterprise teams',
'Manage teams at the enterprise level.',
'https://docs.github.com/enterprise-cloud@latest/rest/overview/permissions-required-for-github-apps' +
'#enterprise-permissions-for-enterprise-teams',
@(
'read',
'write'
),
'Fine-grained',
'Enterprise'
)
)
}
Expand Down
55 changes: 55 additions & 0 deletions src/functions/private/Actions/OIDC/Get-GitHubOidcSubjectClaimForOrganization.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
function Get-GitHubOidcSubjectClaimForOrganization {
<#
.SYNOPSIS
Get the customization template for an OIDC subject claim for an organization

.DESCRIPTION
Gets the customization template for an OpenID Connect (OIDC) subject claim for an organization.

.EXAMPLE
```powershell
Get-GitHubOidcSubjectClaimForOrganization -Organization 'PSModule' -Context $GitHubContext
```

Gets the OIDC subject claim customization template for the 'PSModule' organization.

.NOTES
[Get the customization template for an OIDC subject claim for an organization]
(https://docs.github.com/rest/actions/oidc#get-the-customization-template-for-an-oidc-subject-claim-for-an-organization)
#>
[OutputType([pscustomobject])]
[CmdletBinding()]
param(
# The organization name. The name is not case sensitive.
[Parameter(Mandatory)]
[string] $Organization,

# The context to run the command in. Used to get the details for the API call.
# Can be either a string or a GitHubContext object.
[Parameter(Mandatory)]
[object] $Context
)

begin {
$stackPath = Get-PSCallStackPath
Write-Debug "[$stackPath] - Start"
Assert-GitHubContext -Context $Context -AuthType IAT, PAT, UAT
# Required permissions: Administration org (read) or read:org
}

process {
$apiParams = @{
Method = 'GET'
APIEndpoint = "/orgs/$Organization/actions/oidc/customization/sub"
Context = $Context
}

Invoke-GitHubAPI @apiParams | ForEach-Object {
Write-Output $_.Response
}
}

end {
Write-Debug "[$stackPath] - End"
}
}
59 changes: 59 additions & 0 deletions src/functions/private/Actions/OIDC/Get-GitHubOidcSubjectClaimForRepository.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
function Get-GitHubOidcSubjectClaimForRepository {
<#
.SYNOPSIS
Get the customization template for an OIDC subject claim for a repository

.DESCRIPTION
Gets the customization template for an OpenID Connect (OIDC) subject claim for a repository.

.EXAMPLE
```powershell
Get-GitHubOidcSubjectClaimForRepository -Owner 'PSModule' -Repository 'GitHub' -Context $GitHubContext
```

Gets the OIDC subject claim customization template for the 'GitHub' repository.

.NOTES
[Get the customization template for an OIDC subject claim for a repository]
(https://docs.github.com/rest/actions/oidc#get-the-customization-template-for-an-oidc-subject-claim-for-a-repository)
#>
[OutputType([pscustomobject])]
[CmdletBinding()]
param(
# The account owner of the repository. The name is not case sensitive.
[Parameter(Mandatory)]
[string] $Owner,

# The name of the repository without the .git extension. The name is not case sensitive.
[Parameter(Mandatory)]
[string] $Repository,

# The context to run the command in. Used to get the details for the API call.
# Can be either a string or a GitHubContext object.
[Parameter(Mandatory)]
[object] $Context
)

begin {
$stackPath = Get-PSCallStackPath
Write-Debug "[$stackPath] - Start"
Assert-GitHubContext -Context $Context -AuthType IAT, PAT, UAT
# Required permissions: Actions repo (read) or repo
}

process {
$apiParams = @{
Method = 'GET'
APIEndpoint = "/repos/$Owner/$Repository/actions/oidc/customization/sub"
Context = $Context
}

Invoke-GitHubAPI @apiParams | ForEach-Object {
Write-Output $_.Response
}
}

end {
Write-Debug "[$stackPath] - End"
}
}
64 changes: 64 additions & 0 deletions src/functions/private/Actions/OIDC/Set-GitHubOidcSubjectClaimForOrganization.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
function Set-GitHubOidcSubjectClaimForOrganization {
<#
.SYNOPSIS
Set the customization template for an OIDC subject claim for an organization

.DESCRIPTION
Creates or updates the customization template for an OpenID Connect (OIDC) subject claim for an organization.

.EXAMPLE
```powershell
Set-GitHubOidcSubjectClaimForOrganization -Organization 'PSModule' -IncludeClaimKeys @('repo', 'context') -Context $GitHubContext
```

Sets the OIDC subject claim customization template for the 'PSModule' organization.

.NOTES
[Set the customization template for an OIDC subject claim for an organization]
(https://docs.github.com/rest/actions/oidc#set-the-customization-template-for-an-oidc-subject-claim-for-an-organization)
#>
[OutputType([void])]
[CmdletBinding(SupportsShouldProcess)]
param(
# The organization name. The name is not case sensitive.
[Parameter(Mandatory)]
[string] $Organization,

# Array of unique strings. Each claim key can only contain alphanumeric characters and underscores.
[Parameter(Mandatory)]
[string[]] $IncludeClaimKeys,

# The context to run the command in. Used to get the details for the API call.
# Can be either a string or a GitHubContext object.
[Parameter(Mandatory)]
[object] $Context
)

begin {
$stackPath = Get-PSCallStackPath
Write-Debug "[$stackPath] - Start"
Assert-GitHubContext -Context $Context -AuthType IAT, PAT, UAT
# Required permissions: Administration org (write) or write:org
}

process {
$body = @{
include_claim_keys = $IncludeClaimKeys
}

$apiParams = @{
Method = 'PUT'
APIEndpoint = "/orgs/$Organization/actions/oidc/customization/sub"
Body = $body
Context = $Context
}

if ($PSCmdlet.ShouldProcess("OIDC subject claim for organization [$Organization]", 'Set')) {
$null = Invoke-GitHubAPI @apiParams
}
}

end {
Write-Debug "[$stackPath] - End"
}
}
Loading
Loading