From f5688ccf55a65bb26da2fd469637f72252e4e27f Mon Sep 17 00:00:00 2001 From: "Jonas Brand (i538859)" Date: Fri, 20 Feb 2026 13:24:49 +0100 Subject: [PATCH] Switch to OIDC Federation Service instead of GitHub App Currently, the [Gardener GitHub-Actions App](https://github.com/apps/gardener-github-actions) is used to provide more privileged access than available via the default `GITHUB_TOKEN`, for example to circumvent branch protection rules (GitHub Apps can be configured as bypassers) or cross repository privileges. To prevent sharing the GitHub App secret with each and every repository/workflow which requires usage of it, the [GitHub OIDC Federation Service](https://github.com/gardener/github-oidc-federation) has been developed. In essence, it holds the credentials for a central GitHub App and creates short-lived access tokens with a configured scope based on a centrally configured OIDC configuration. See related changes which have been necessary for this repository: - https://github.com/gardener/.github-oidc/commit/c2da0cae90bf8a502d91423d94870aa2acb2f7a1 Signed-off-by: Jonas Brand (i538859) --- .github/workflows/build.yaml | 4 ++-- .github/workflows/non-release.yaml | 4 ++-- .github/workflows/pullrequest-trust-helper.yaml | 3 +-- .github/workflows/release.yaml | 4 +++- .github/workflows/upgrade-dependencies.yaml | 3 +-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 494aea2e..5345a836 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -16,9 +16,9 @@ jobs: uses: gardener/cc-utils/.github/workflows/prepare.yaml@master with: mode: ${{ inputs.mode }} - version-commit-callback-action-path: permissions: - contents: read + id-token: write + pull-requests: write # required until https://github.com/gardener/cc-utils/pull/1529 is merged oci-images: name: Build OCI-Images diff --git a/.github/workflows/non-release.yaml b/.github/workflows/non-release.yaml index 20ce1767..916be55f 100644 --- a/.github/workflows/non-release.yaml +++ b/.github/workflows/non-release.yaml @@ -22,16 +22,16 @@ jobs: mode: snapshot secrets: inherit permissions: - contents: write + contents: read packages: write id-token: write + pull-requests: write component-descriptor: if: ${{ github.event_name != 'pull_request_target' || (github.event_name == 'pull_request_target' && github.event.label.name == vars.DEFAULT_LABEL_OK_TO_TEST && vars.DEFAULT_LABEL_OK_TO_TEST != '') }} uses: gardener/cc-utils/.github/workflows/post-build.yaml@master needs: - build - secrets: inherit permissions: id-token: write contents: write diff --git a/.github/workflows/pullrequest-trust-helper.yaml b/.github/workflows/pullrequest-trust-helper.yaml index 7aeb60ff..4f3682a8 100644 --- a/.github/workflows/pullrequest-trust-helper.yaml +++ b/.github/workflows/pullrequest-trust-helper.yaml @@ -9,8 +9,7 @@ on: jobs: pullrequest-trusted-helper: permissions: - pull-requests: write - secrets: inherit # access to `GitHub-Actions`-App is needed to read teams + id-token: write uses: gardener/cc-utils/.github/workflows/pullrequest-trust-helper.yaml@master with: trusted-teams: 'mcm-maintainers,gardener-extension-provider-openstack-maintainers' diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f86e229e..c5fad926 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,10 +12,12 @@ on: jobs: build: uses: ./.github/workflows/build.yaml + secrets: inherit permissions: - contents: write + contents: read id-token: write packages: write + pull-requests: write with: mode: release diff --git a/.github/workflows/upgrade-dependencies.yaml b/.github/workflows/upgrade-dependencies.yaml index d86dbc5e..a1a336a6 100644 --- a/.github/workflows/upgrade-dependencies.yaml +++ b/.github/workflows/upgrade-dependencies.yaml @@ -7,7 +7,6 @@ on: jobs: upgrade-pullrequests: uses: gardener/cc-utils/.github/workflows/upgrade-dependencies.yaml@master - secrets: inherit permissions: - contents: write + contents: read id-token: write