Tweets by javapedia.net

Maven / GitHub Actions Interview Questions

What are OpenID Connect (OIDC) tokens in GitHub Actions and how do they replace long-lived cloud credentials?

GitHub Actions can obtain a short-lived OpenID Connect (OIDC) JWT token for each workflow run. Cloud providers (AWS, Azure, GCP) can be configured to accept this token as proof of identity and issue temporary cloud credentials in exchange — eliminating the need to store long-lived API keys or access tokens in GitHub Secrets.

The token contains verifiable claims about the workflow run: repository name, branch, actor, environment, and the workflow ref. The cloud provider's trust policy checks these claims before granting access, so you can limit access to, for example, only the production environment on the main branch.

AWS example using aws-actions/configure-aws-credentials:

permissions:
  id-token: write    # required to request the OIDC token
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Configure AWS credentials via OIDC
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/GithubActionsDeployRole
          aws-region: us-east-1
          # No AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY needed

      - name: Deploy to S3
        run: aws s3 sync dist/ s3://my-bucket/

The AWS IAM role's trust policy specifies which GitHub repository and conditions it trusts:

{
  "Condition": {
    "StringEquals": {
      "token.actions.githubusercontent.com:sub":
        "repo:my-org/my-repo:environment:production"
    }
  }
}

Benefits over static credentials:

No secret rotation needed — credentials expire automatically (typically 1 hour)
No secret stored in GitHub — nothing to leak in logs or accidental commits
Fine-grained trust — limit which repo, branch, or environment can assume the role

Which permission must be set to write in a workflow to allow it to request an OIDC token? contents: write

✗ Try again — not quite right.

id-token: write

✓ Well done — that is correct!

secrets: write

✗ Try again — not quite right.

packages: write

✗ Try again — not quite right.

What is the main security advantage of OIDC-based cloud authentication over storing static AWS access keys in GitHub Secrets? OIDC tokens are larger and harder to brute-force

✗ Try again — not quite right.

Credentials are short-lived and auto-expire, with nothing long-lived to leak or rotate

✓ Well done — that is correct!

OIDC bypasses IAM role policies entirely

✗ Try again — not quite right.

OIDC tokens work without configuring the cloud provider's trust policy

✗ Try again — not quite right.

Invest now in Acorns!!! 🚀 Join Acorns and get your $5 bonus!

Invest now in Acorns!!! 🚀
Join Acorns and get your $5 bonus!

Earn passively and while sleeping

Acorns is a micro-investing app that automatically invests your "spare change" from daily purchases into diversified, expert-built portfolios of ETFs. It is designed for beginners, allowing you to start investing with as little as $5. The service automates saving and investing. Disclosure: I may receive a referral bonus.

Invest now!!! Get Free equity stock (US, UK only)!

Use Robinhood app to invest in stocks. It is safe and secure. Use the Referral link to claim your free stock when you sign up!.

The Robinhood app makes it easy to trade stocks, crypto and more.

Webull! Receive free stock by signing up using the link: Webull signup.

More Related questions...

What is GitHub Actions and what problems does it solve? What are the key components of GitHub Actions — workflows, jobs, steps, actions, and runners? How is a GitHub Actions workflow file structured, and where must it be placed? What are workflow triggers (on:) and which event types does GitHub Actions support? What is the difference between push, pull_request, and workflow_dispatch triggers? What are jobs in GitHub Actions, and how do they run in parallel by default? What are steps, and what is the difference between run: and uses: in a step? What are runners, and what is the difference between GitHub-hosted and self-hosted runners? What is the GitHub Actions Marketplace and how do you find and use actions from it? How do you use the actions/checkout action and what does it do? How do you pass environment variables and secrets to a GitHub Actions workflow? What is the difference between the env:, secrets:, and vars: contexts in GitHub Actions? How do you cache dependencies in GitHub Actions using actions/cache? How do you use matrix builds in GitHub Actions to test across multiple environments? How do you control job execution order in GitHub Actions using needs:? How do you share data between steps within a job using step outputs? How do you share build artifacts between jobs using actions/upload-artifact and actions/download-artifact? What are reusable workflows in GitHub Actions and how do you call them? What are composite actions and when should you choose them over reusable workflows? How do you set up a Docker container service for integration tests using services: in GitHub Actions? How do you use conditional steps with if: in GitHub Actions? What are the key GitHub Actions expression contexts and what information does each provide? How do you use concurrency groups to cancel outdated workflow runs in GitHub Actions? What is the GITHUB_TOKEN and what permissions does it have? How do you trigger one GitHub Actions workflow from another using workflow_run? How do you write a custom JavaScript action for GitHub Actions? How do you write a custom Docker container action for GitHub Actions? How do you implement a complete CI/CD pipeline for a container image in GitHub Actions — build, push to a registry, and deploy? How do you implement path filtering so a workflow only runs when specific files change? How do you debug failing GitHub Actions workflows — enabling debug logging and using tmate? How do you implement branch protection rules with required GitHub Actions status checks? How do you handle large monorepos with multiple services in GitHub Actions? What are OpenID Connect (OIDC) tokens in GitHub Actions and how do they replace long-lived cloud credentials? How do you prevent secret exposure and follow security hardening best practices in GitHub Actions? What are the key differences between GitHub Actions, Jenkins, and GitLab CI?

Show more question and Answers...

GitOps Interview Questions

Comments & Discussions

Maven Interview questions 43 Maven Interview questions II 46 Gradle interview questions 31 GIT Interview Questions 46 DEVOPS Interview questions 4 Jenkins Interview questions 22 AppDynamics Interview questions 8 Ansible Interview questions 1 GitHub Actions Interview Questions 35 GitOps Interview Questions 35

Recently added...

How does Argo CD's sync process work — desired state vs live state?

How does image automation work in Flux for continuous delivery?

How does GitOps improve security and auditability compared to script-based deployments?

What is Argo CD and how does it implement GitOps?

What is Flux CD and how does it differ from Argo CD?

How do you handle multiple environments (dev/staging/prod) in a GitOps repo?

What is the 'single source of truth' principle in GitOps?

What is declarative infrastructure and why does GitOps require it?

What is drift detection and how does a GitOps operator handle drift?

What is the difference between GitOps and Infrastructure as Code (IaC)?

What are Argo CD Applications and ApplicationSets?

How do you structure a GitOps repository — app-of-apps, environment folders, overlays?

How does Flux's source-controller and kustomize-controller work together?

How do you manage secrets in a GitOps workflow — Sealed Secrets, SOPS, External Secrets Operator?

What is GitOps and what core principles does it define?

How does GitOps differ from traditional CI/CD pipelines?

What are the two GitOps deployment models: push-based vs pull-based?

What is a GitOps operator and what role does it play?

What Git branching strategies are commonly used with GitOps?

What are Argo CD sync policies — automated vs manual — and sync waves?

	Interviews Questions Java Spring Hibernate Maven Testing API BigData Web DataStructures AI Database MuleESB Cloud Scala Tools	About Javapedia.net Javapedia.net is for Java and J2EE developers, technologist and college students who prepare of interview. Also this site includes many practical examples. This site is developed using J2EE technologies by Steve Antony, a senior Developer/lead at one of the logistics based company.
	contact: javatutorials2016[at]gmail[dot]com
Kindly consider donating for maintaining this website. Thanks.
	Copyright © 2026, javapedia.net, all rights reserved. privacy policy.