Version updated for https://github.com/deadbolt-sh/jit-action to version v1.0.0.

• This action is used across all versions by ? repositories.

Go to the GitHub Marketplace to find the latest changes.

Release notes

🔐 Deadbolt JIT Action v1.0.0

The secure way to deploy from GitHub Actions - no permanent SSH keys required.

Highlights

• 🎫 Zero Secrets - Uses GitHub OIDC authentication, no tokens to store or rotate
• ⏱️ Short-Lived Access - SSH keys automatically expire (default: 5 minutes)
• 📋 Full Audit Trail - Every deployment logged with repo, branch, actor, and commit SHA
• 🛡️ Defense in Depth - IP restricted to GitHub Actions runners, command restrictions optional

Quick Start

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - uses: deadbolt-sh/jit-action@v1
        id: ssh
        with:
          server_id: srv_abc123
      
      - run: rsync -avz -e "ssh -i ${{ steps.ssh.outputs.ssh_key_path }}" ./dist/ ${{ steps.ssh.outputs.username }}@${{ steps.ssh.outputs.host }}:/var/www/app/

What’s Included

Inputs

Outputs

Security

This action never stores secrets in your repository. Authentication flow:

1. GitHub generates short-lived OIDC token (contains repo, branch, actor)
2. Deadbolt verifies token cryptographically against GitHub’s public keys
3. Deadbolt checks your OIDC policy (allowed repos, branches)
4. Short-lived SSH key returned (works only from GitHub Actions IPs)

Requirements

• Deadbolt account with server registered
• OIDC policy configured for your repository
• id-token: write permission in workflow

Documentation

• Setup Guide
• OIDC Policy Configuration
• Security Best Practices

Feedback

Found a bug? Have a feature request? Open an issue

Full Changelog: https://github.com/deadbolt-sh/jit-action/commits/v1.0.0

• deadbolt-sh
• GitHub Actions