Property job_workflow_sha in context github is not available

[mbeckh]

Describe the bug
The property github.job_workflow_sha is not set in a job using a reusable workflow.
Documentation at https://docs.github.com/en/actions/learn-github-actions/contexts#github-context states that "For jobs using a reusable workflow, the commit SHA for the reusable workflow file.".

To Reproduce
.github/workflows/test.yml:

name: Test
on:
  push:
jobs:
  test:
    uses: ./.github/workflows/reuse.yml

.github/workflows/reuse.yml:

name: Reuse
on:
  workflow_call:
jobs:
  reuse:
    runs-on: ubuntu-latest
    steps:
    - shell: bash
      run: echo 'github: ${{toJSON(github)}}'

The context github is printed, but there is no key job_workflow_sha. The output of ${{github.job_workflow_sha}} is empty.

The behavior is the same whether reuse.yml is in the same repository as test.yml or in a different repository.

Expected behavior
There is a key job_workflow_sha matching the commit SHA of the reusable workflow file as displayed in the job log under "Set up job" as "Uses: <owner>/<repository>/.github/workflows/reuse.yml@refs/heads/<branchname> (<SHA>)".

Runner Version and Platform

Runner version: 2.301.1
Platform: Ubuntu 22.04.1 LTS
Runner Image: ubuntu-22.04 20230129.2

What's not working?

The property job_workflow_sha is not available in the context github of the reusable workflow although the documentation states it should be there.

[joshuasimon-taulia]

as a side note, I cannot find any context in which github.job_workflow_sha acutally works. ex: from the caller workflow

name: pr
on:
  pull_request:
    branches: [main]

env:
  WORKFLOW_REF_ROOT_ENV: ${{ github.job_workflow_sha }}

jobs:
  pullrequest:
    uses: ./.github/workflows/pullrequest.yml
    secrets: inherit
    with:
      workflow-ref: ${{ github.job_workflow_sha }}

results in blank inputs and missing ${{ env.WORKFLOW_REF_ROOT_ENV }}

Inputs
    workflow-ref:

[kkurczewski]

I checked documentation source code, seems this property is subject of some condition (contrary to other ones):

{%- ifversion actions-oidc-custom-claims %}
| `github.job_workflow_sha` | `string` | {% data reusables.actions.job-workflow-sha-description %} |
{%- endif %}

Can I kindly ask authors of this commit about a little more context about what this condition is about? How I can enable it?

cc: @jc-clark @lucascosti

[lucascosti]

Hi @kkurczewski, I don't work at GitHub anymore, so I'll let @jc-clark answer your question. 🙂 (👋 Hi Joe 😁)

[axherrm]

There is still no solution for this, is it?

[pdxjohnny]

Still hitting this: https://github.com/pdxjohnny/scitt-api-emulator/actions/runs/6178211970/job/16771062928#step:9:17

##[debug]Evaluating: github.job_workflow_sha
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'job_workflow_sha'
##[debug]=> null
##[debug]Result: null

Operating System
  Ubuntu
  22.04.3
  LTS
Runner Image
  Image: ubuntu-22.04
  Version: 20230911.1.0
  Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20230911.1/images/linux/Ubuntu2204-Readme.md
  Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20230911.1

[ericsciple]

Apologies this is a documentation bug and job_workflow_sha is only supported as an OIDC claim. A PR to correct the documentation is in progress.

I would recommend the community feedback discussions as a place to request any missing product feature. Good to focus on the scenario, since would not only help prioritize but also may help determine a different solution.

[pdxjohnny]

I found a workaround by requesting the token and extracting the claim. However, this only works on jobs which run within the repo’s context, not pull requests for example.

• id-token: write not available on pull_requests slsa-framework/slsa-github-generator#131
• Support for pull_request slsa-framework/slsa-github-generator#358