Skip to content

Use GitHub OIDC Federation Service in prepare.yaml workflow#1529

Open
8R0WNI3 wants to merge 4 commits intomasterfrom
8R0WNI3-prepare
Open

Use GitHub OIDC Federation Service in prepare.yaml workflow#1529
8R0WNI3 wants to merge 4 commits intomasterfrom
8R0WNI3-prepare

Conversation

@8R0WNI3
Copy link
Member

@8R0WNI3 8R0WNI3 commented Feb 23, 2026

Release note:

@8R0WNI3
Use GitHub OIDC Federation Service in prepare.yaml workflow
5d329c4 
Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>
@gardener-prow
Copy link

gardener-prow bot commented Feb 23, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign 8r0wni3 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 23, 2026
@8R0WNI3
Copy link
Member Author

8R0WNI3 commented Feb 23, 2026

/hold until all usages of the prepare.yaml workflow set the (now) required id-token: write permission

@gardener-prow gardener-prow bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 23, 2026
@8R0WNI3 8R0WNI3 added reviewed/do-not-merge Has no approval for merging as it may break things, be of poor quality or have (ext.) dependencies kind/cleanup Something that is not needed anymore and can be cleaned up and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Feb 23, 2026
@gardener-prow gardener-prow bot removed the do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. label Feb 23, 2026
@8R0WNI3
Always export GitHub token in trusted-checkout action
82e5360 
Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>
@8R0WNI3
Use exported token for PR label removal
baa1cd7 
Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>
@8R0WNI3
Enforce request of pull-requests: write permission for label removal
a87379c 
Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>
@gardener-prow gardener-prow bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 23, 2026
8R0WNI3 added a commit to gardener/gardener-extension-provider-aws that referenced this pull request Feb 23, 2026
@8R0WNI3
fix: Add (currently) still required pull-requests: write permission
9a6aa2f 
Required to remove `ok-to-test` labels from PRs until
gardener/cc-utils#1529 is merged.

Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>
8R0WNI3 added a commit to gardener/gardener-extension-provider-openstack that referenced this pull request Feb 23, 2026
@8R0WNI3
fix: Add (currently) still required pull-requests: write permission
02ab031 
Required to remove `ok-to-test` labels from PRs until
gardener/cc-utils#1529 is merged.

Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>
This was referenced Feb 23, 2026
Merged
Open
gardener-prow bot pushed a commit to gardener/gardener-extension-provider-aws that referenced this pull request Feb 23, 2026
@8R0WNI3
fix: Add (currently) still required pull-requests: write permission (
c246b59 
…#1709)

Required to remove `ok-to-test` labels from PRs until
gardener/cc-utils#1529 is merged.

Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>
8R0WNI3 added a commit to gardener/diki-operator that referenced this pull request Feb 25, 2026
@8R0WNI3
Prepare switch to GitHub OIDC Federation Service
655119d 
See gardener/cc-utils#1529 for reference.

Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>
gardener-prow bot pushed a commit to gardener/diki-operator that referenced this pull request Feb 25, 2026
@8R0WNI3
Adjust GitHub-Actions permissions and secrets (#25)
5a45afc 
* Prepare switch to GitHub OIDC Federation Service

See gardener/cc-utils#1529 for reference.

Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>

* Drop unnecessarily granted privileges/secrets

Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>

* Consistently pass-in secrets to `build.yaml` workflow

Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>

---------

Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>
@kevin-lacoo kevin-lacoo mentioned this pull request Feb 26, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ccwienk ccwienk Awaiting requested review from ccwienk ccwienk is a code owner

@zkdev zkdev Awaiting requested review from zkdev zkdev is a code owner

@TuanAnh17N TuanAnh17N Awaiting requested review from TuanAnh17N TuanAnh17N is a code owner

Assignees

No one assigned

Labels

cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/cleanup Something that is not needed anymore and can be cleaned up reviewed/do-not-merge Has no approval for merging as it may break things, be of poor quality or have (ext.) dependencies size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@8R0WNI3