From 6cbd2f2dfd311a991548241040bee324b1231e7d Mon Sep 17 00:00:00 2001
From: Robert Harris <git@rgharris.com>
Date: Tue, 3 Dec 2024 09:53:08 -0800
Subject: [PATCH] New OIDC README section

---
 README.md | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 006b8d9..6c70873 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ This action enables you to fetch Doppler secrets for use in your GitHub Actions.
 The action can be configured in two ways:
 
 * Service Token (recommended)
-* Service Account Token with Project and Config
+* Service Account with Project and Config
 
 ### Service Token
 
@@ -26,9 +26,13 @@ Then supply the Service Token using the `doppler-token` input:
         doppler-token: ${{ secrets.DOPPLER_TOKEN }}
 ```
 
-### Service Account Token
+### Service Account 
 
-A Doppler Service Account Token allows for a configurable set of permissions to services in your workplace. The `doppler-project` and `doppler-config` inputs must be provided when using a Service Account Token:
+A Doppler Service Account allows for a configurable set of permissions to services in your workplace. A project and config must be specified when using a Service Account.
+
+#### Service Account Token
+
+ The `doppler-project` and `doppler-config` inputs must be provided when using a Service Account Token:
 
 ```yaml
 - uses: dopplerhq/secrets-fetch-action@v1.3.0
@@ -39,6 +43,27 @@ A Doppler Service Account Token allows for a configurable set of permissions to
         doppler-config: ci-cd
 ```
 
+#### Service Account Identity via OIDC
+
+[Identities](https://docs.doppler.com/docs/service-account-identities) allow a service account to authenticate to Doppler via OIDC without using a static API token. This method works like the Service Account Token method above but without a static API token.
+
+The `auth-method`, `doppler-identity-id`, `doppler-project` and `doppler-config` inputs must be provided when using a Service Account Identity. The permission `id-token: write` is required so that Doppler can obtain an OIDC token from Github for authentication.
+
+```yaml
+jobs:
+  your-example-job:
+    permissions:
+      id-token: write # required for obtaining the OIDC JWT from Github
+    steps:
+      - uses: dopplerhq/secrets-fetch-action@v1.3.0
+          id: doppler
+          with:
+            auth-method: oidc        
+            doppler-identity-id: <your-service-account-identity-uuid> 
+            doppler-project: auth-api
+            doppler-config: ci-cd
+```
+
 ## Usage
 
 Secrets can be accessed in two ways: