Proving which user and branch triggered a workflow

I would like to have some kind of information from my workflow context that proves which user and branch we’re dealing with. This is so I can prove the context of an HTTP request to another one of my services

For example, I believe in GitLab the runner receives a signed JWT token containing information about the event.

Unfortunately in GitHub the GITHUB_TOKEN is just a random string.

Is there any signed information I can get within the context of my GitHub workflow that says “this is a job that was triggered by user Alice for feature-branch”?

At first glance I see nothing in the contexts that could help here.

There is ${{ github.actor }} from the github context:

github.actor string The login of the user that initiated the workflow run.

@laughedelic thanks for the suggestion. unfortunately this is just a string and it is not signed. there is no way for my other service to verify that “github says this user triggered this event by pushing something to this branch”. any malicious user could just send it a spoofed string.