Error : Invalid actions OIDC token due to sub_invalid

[BenSouchet]

Hi,
I try create a scheduled workflow that is identical to the pages-build-deployment workflows provided by Github for Pages.

I wanted to use the same actions (actions/jekyll-build-pages & actions/deploy-pages) but I have an issue (error) with actions/deploy-pages:

Failed to create deployment for ecdfe6d6276a0e9c2f5f1701e690bf8d69169602.
{"message":"Invalid actions OIDC token due to sub_invalid, validate around 1641819761.","documentation_url":"https://docs.github.com/rest/reference/repos#create-a-github-pages-deployment"}
Error: Error: Request failed with status code 400
Error: Error: Request failed with status code 400
Sending telemetry for run id 1677474470

This is the workflow I made:

permissions:
  contents: read
  pages: write
  id-token: write

name: Daily Build

# Controls when the workflow will run
on:
  # Triggers the workflow everyday
  # DEBUG: currently every 5mins
  schedule:
    - cron: '*/5 * * * *'
  workflow_dispatch:

# Workflow with two jobs: "Build" then "Deploy"
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          submodules: recursive
      - name: Build page with Jekyll
        uses: actions/jekyll-build-pages@v1-beta
        with:
          source: ./
          destination: ./_site
          future: false
      - name: Archive build output
        run: tar --dereference --hard-dereference --directory _site/ -cvf artifact.tar .
      - name: Upload Artifact
        uses: actions/upload-artifact@main
        with:
          name: github-pages
          path: ./artifact.tar
          if-no-files-found: warn

  deploy:
    runs-on: ubuntu-latest
    needs: build
    steps:
      - name: Deploy to GitHub Pages
        uses: actions/deploy-pages@v1-beta

Is there anything more to do in order to use the deploy-pages action ?

I tried to understand if I needed to add or request a token but I admit being a little bit lost 🤔

@tcbyrd I'm sure you can tell me what i'm doing wrong 🙂

PS: link to one failed deploy

[BenSouchet]

After a lot of research I managed to make the deployment work, here are the modifications I made:

permissions:
  contents: read
  pages: write
+ deployments: write
  id-token: write
...

  deploy:
    needs: build
    runs-on: ubuntu-latest
+   environment:
+     name: github-pages
+     url: ${{ steps.deployment.outputs.page_url }}
    steps:
      - name: 'Deploy to GitHub Pages'
+       id: deployment
        uses: actions/deploy-pages@v1-beta

Don't understand exactly why theses lines was necessary, this does not seem to correlate with the error message I had.

If someone can tell me if what I added is correct, if everything is necessary (or not).
Thanks

[tcbyrd]

@BenSouchet that's correct. We'll be documenting it more thoroughly, but in general the reason for this is the deployment needs to know what environment you're attempting to deploy to, and this metadata is validated against the OIDC token to ensure we respect any environment protection rules that may exist. By default there are no protection rules (anyone with write can deploy to that environment), but the workflow needs to know what environment you're targeting so we can validate it.

Also you shouldn't need deployments: write in the token permissions. Actions has the ability to create the deployment natively when you add the environment stanza. The token permission is only needed if you want to use GITHUB_TOKEN to manually call the deployment API.

[BenSouchet]

@tcbyrd Thanks for the explanation, It's more clear now 🙂