Created
January 30, 2026 14:10
-
-
Save PanosGreg/753b52b84de04ef78ffd4aeb8f23eaf3 to your computer and use it in GitHub Desktop.
GitHub Actions Workflow that shows JWTs and Env Variables
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Get Environment Variables and JWTs | |
| # This workflow was tested on a self-hosted windows runner (Windows Server 2025) | |
| # On the VM, PowerShell v7.5.4 was installed and was used for this workflow as the shell | |
| # The GitHub Actions Runner service version was v2.331.0.0 (Jan-2026) | |
| on: | |
| workflow_dispatch: | |
| defaults: | |
| run: | |
| shell: pwsh | |
| # permission can be added for the entire WORKFLOW or it can be set at a specific JOB level | |
| permissions: | |
| id-token: write # This is required for requesting the OIDC JWT | |
| jobs: | |
| get_environment_variables: | |
| runs-on: [GhaRunnerVM] # <-- replace this with your runner label | |
| steps: | |
| - name: Show GitHub Actions Runner version & connection | |
| run : | | |
| $Path = Split-Path (Get-Service action*).BinaryPathName.Replace('"',$null) | |
| $Ver = (Get-Item $Path\Runner.Worker.exe).VersionInfo.FileVersion | |
| Write-Verbose "GitHub Actions Runner: v$Ver" -Verbose | |
| $ProcId = (Get-Process -Name Runner.Listener).Id | |
| Get-NetTCPConnection -OwningProcess $ProcId | where LocalAddress -Match '\d+\.\d+\.\d+\.\d+' | |
| - name: Check Github vars | |
| run : | | |
| dir env:\github* | |
| - name: Check Actions vars | |
| run : | | |
| dir env:\action* | |
| - name: Check Runner vars | |
| run : | | |
| dir env:\runner* | |
| # optional step, if you need to research further, uncomment this step | |
| #- name: Save all the env vars locally | |
| # run: | | |
| # dir env:\* | Export-CliXml C:\temp\env_vars.clixml -Force | |
| - name: Show the JWT received from GitHub | |
| run: | | |
| $ConvertFromJwtUrl = 'https://gist.githubusercontent.com/PanosGreg/954ea7ce689d80998befc791b32bb284/raw/cd44ca508a96b373281f75f93db23ecbd53b4e2f/ConvertFrom-JwtToken.ps1' | |
| Invoke-Expression -Command (Invoke-RestMethod -Uri $ConvertFromJwtUrl) | |
| $jwt = ConvertFrom-JwtToken -Token $env:ACTIONS_ID_TOKEN_REQUEST_TOKEN | |
| Write-Verbose 'The JWT from the ENV vars (ACTIONS_ID_TOKEN_REQUEST_TOKEN)' -Verbose | |
| Write-Output $jwt | |
| Write-Output "`n" | |
| Write-Verbose 'The OIDC Extra information from that JWT' -Verbose | |
| $jwt.oidc_extra | ConvertFrom-Json | |
| - name: Request an OIDC token from GitHub | |
| run: | | |
| $url = $env:ACTIONS_ID_TOKEN_REQUEST_URL | |
| $jwt = $env:ACTIONS_ID_TOKEN_REQUEST_TOKEN | |
| $Headers = @{ | |
| Authorization = "bearer $jwt" | |
| Accept = 'application/json; api-version=2.0' | |
| } | |
| $irm = Invoke-RestMethod -Method Get -Uri $url -ContentType 'application/json' -Headers $Headers | |
| $irm | Export-CliXml (Join-Path $env:TEMP 'oidc_jwt.clixml') -Force | |
| - name: Show the 2nd JWT received from GitHub | |
| run: | | |
| $jwt = (Import-CliXml (Join-Path $env:TEMP 'oidc_jwt.clixml')).value | |
| $ConvertFromJwtUrl = 'https://gist.githubusercontent.com/PanosGreg/954ea7ce689d80998befc791b32bb284/raw/cd44ca508a96b373281f75f93db23ecbd53b4e2f/ConvertFrom-JwtToken.ps1' | |
| Invoke-Expression -Command (Invoke-RestMethod -Uri $ConvertFromJwtUrl) # <-- each step has its own process, so the PS Session is new (vars, functions, modules, types) | |
| ConvertFrom-JwtToken -Token $jwt | |
| Remove-Item (Join-Path $env:TEMP 'oidc_jwt.clixml') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment