GitHub Actions Integration

Secure your CI/CD pipelines with OIDC-based machine identity, just-in-time infrastructure access, and secret-free authentication for GitHub Actions workflows.

View Documentation Request Demo

Features

Secret-Free CI/CD Workflows

Eliminate static credentials and implement zero-trust access for your GitHub Actions pipelines.

OIDC Machine Identity

Authenticate GitHub Actions workflows using OpenID Connect without storing long-lived credentials in repository secrets.

Workflow-Based Access

Grant just-in-time access based on workflow context including repository, branch, environment, and triggering event.

SSH Certificate Issuance

Issue short-lived SSH certificates to workflows for secure access to infrastructure without managing SSH keys.

Secret-Free Authentication

Eliminate static secrets and credentials from GitHub Actions with certificate-based authentication and dynamic credentials.

Capabilities

Enterprise-Grade CI/CD Security

OIDC token validation

Workflow identity mapping

SSH certificate issuance

Database access for CI/CD

Kubernetes deployment

Environment-based gates

Repository dispatch triggers

Self-hosted runner support

Reusable workflow integration

Branch protection integration

Deployment status checks

Audit log streaming

Setup

Get Started in Minutes

Follow these simple steps to integrate TigerAccess with your GitHub Actions workflows.

Configure OIDC Trust

Configure TigerAccess to trust GitHub Actions OIDC tokens from your organization or specific repositories.

tacctl oidc add github-actions \
  --issuer=https://token.actions.githubusercontent.com \
  --audience=https://tigeraccess.example.com \
  --subject-pattern="repo:org-name/*:*"

Create Workflow Identity

Map GitHub Actions workflow claims to TigerAccess roles and access policies based on repository, environment, and branch.

tacctl bots add github-ci \
  --type=github-actions \
  --roles=ci-deployer,db-migrator \
  --claim-mapping='{"repository":"org-name/repo-name","environment":"production"}'

Use in GitHub Actions

Add TigerAccess authentication to your GitHub Actions workflow to access infrastructure and databases.

name: Deploy
on: [push]
jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Get TigerAccess Certificate
        run: |
          curl -X POST https://auth.tigeraccess.example.com/v1/oidc/github-actions/token \
            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
            -d "oidc_token=$(curl -H \"Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN\" \
                \"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://tigeraccess.example.com\" | jq -r .value)" \
            -o /tmp/tac_cert

      - name: Access Database
        run: |
          tac db connect postgres-prod --execute "SELECT version()"

      - name: Deploy to Production
        run: |
          tac ssh deploy@prod-server "kubectl apply -f manifests/"

Use Cases

Real-World GitHub Actions Scenarios

Secure Database Migrations

Run database migrations in CI/CD workflows with just-in-time database credentials issued based on workflow context, eliminating the need to store database passwords in GitHub secrets.

Infrastructure Deployment

Deploy to production infrastructure with short-lived SSH certificates issued to GitHub Actions workflows, providing traceable access with automatic session recording.

Kubernetes CI/CD

Deploy applications to Kubernetes clusters with dynamic kubeconfig credentials issued based on repository and environment, ensuring least-privilege access.

Compliance Automation

Meet compliance requirements with comprehensive audit logs of all CI/CD access, including workflow identity, resources accessed, and complete command history.

FAQ

Frequently Asked Questions

How does OIDC authentication work with GitHub Actions?

GitHub Actions generates a signed OIDC token for each workflow run containing claims like repository, branch, and environment. TigerAccess validates this token against GitHub's public keys and maps the claims to TigerAccess roles, issuing short-lived certificates for infrastructure access.

Do I need to store TigerAccess credentials in GitHub Secrets?

No. With OIDC integration, GitHub Actions workflows authenticate using their built-in OIDC token. No static credentials need to be stored in GitHub Secrets. TigerAccess validates the token and issues just-in-time certificates.

Can I restrict access based on specific repositories or branches?

Yes. TigerAccess can enforce policies based on OIDC token claims including repository name, branch name, environment, and workflow event type. For example, you can allow production database access only from the main branch of specific repositories.

How are GitHub Actions workflow sessions audited?

All access through GitHub Actions is logged with complete workflow context including repository, commit SHA, actor, workflow name, and run ID. Session recordings capture all commands executed, providing a complete audit trail for compliance.

Does this work with self-hosted GitHub Actions runners?

Yes. The OIDC authentication mechanism works identically for both GitHub-hosted and self-hosted runners. The workflow receives the same OIDC token regardless of where it runs, enabling consistent authentication.

Ready to Secure Your Infrastructure?

Join thousands of security-conscious teams using TigerAccess to protect their critical infrastructure and AI agents.

Start Free Trial Contact Sales

No credit card required • 14-day free trial • Enterprise support available