GitHub Actions

Run Skylos in CI without long-lived secrets.

Skylos Cloud accepts GitHub OIDC tokens for policy sync and scan uploads. Teams can remove stored SKYLOS_TOKEN secrets from GitHub Actions and keep each run bound to its repository.

Security overview Ask about enterprise rollout

Minimal workflow

name: Skylos Tokenless CI

on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read
  id-token: write

jobs:
  skylos:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install Skylos
        run: python -m pip install "skylos>=4.7.0"

      - name: Pull Skylos Cloud policy
        run: skylos sync pull

      - name: Scan and upload
        run: skylos . --danger --quality --secrets --upload --force --sha "${{ github.sha }}"

Requirements

Skylos CLI 4.7.0 or newer
A Skylos Cloud project whose repo URL matches the GitHub repository
GitHub Actions permission id-token: write
No SKYLOS_TOKEN secret in the workflow

Bind the repo

Set the Skylos Cloud project repo URL to the GitHub repository, for example https://github.com/acme/api.

Grant OIDC

Add id-token: write to the workflow permissions. GitHub will mint a short-lived token for each run.

Remove static secrets

Delete SKYLOS_TOKEN from the workflow and repo secrets once the tokenless run succeeds.

Turn on blocking later

Keep --force while baselining so uploads always land. Remove it when the team is ready for CI failures to block merges.

Migrating from SKYLOS_TOKEN

Existing token-based workflows continue to work. For GitHub Actions, replace the secret with OIDC by adding id-token: write and removing the SKYLOS_TOKEN environment variable from Skylos steps.

Before

env:
  SKYLOS_TOKEN: ${{ secrets.SKYLOS_TOKEN }}

run: skylos . --upload

After

permissions:
  contents: read
  id-token: write

run: skylos . --upload --force

Troubleshooting

StatusCodeFix

401NO_TOKENThe workflow is not sending an auth token. Check that the CLI is 4.7.0 or newer and that id-token: write is present.

401INVALID_OIDCGitHub did not issue a valid OIDC token. Confirm the workflow permission is exactly id-token: write.

404REPO_NOT_LINKEDThe GitHub repository is not bound to a Skylos Cloud project. Set the project repo URL in Cloud.

409AMBIGUOUS_REPO_BINDINGMore than one Skylos project matches the same repo. Use a unique repo binding, repo subpath, or a project token for that job.

Enterprise behavior

OIDC runs are short-lived, repository-bound, and do not require secret rotation in GitHub. Non-GitHub CI can continue using project API keys, so tokenless GitHub rollout does not break other build systems or local developer workflows.