From 0fe09958cf0a8f6f2fd83f37aa14a12fdd0b37cf Mon Sep 17 00:00:00 2001 From: "Jonas Brand (i538859)" Date: Fri, 20 Feb 2026 11:31:07 +0100 Subject: [PATCH] Switch to OIDC Federation Service instead of GitHub App Currently, the [Gardener GitHub-Actions App](https://github.com/apps/gardener-github-actions) is used to provide more privileged access than available via the default `GITHUB_TOKEN`, for example to circumvent branch protection rules (GitHub Apps can be configured as bypassers) or cross repository privileges. To prevent sharing the GitHub App secret with each and every repository/workflow which requires usage of it, the [GitHub OIDC Federation Service](https://github.com/gardener/github-oidc-federation) has been developed. In essence, it holds the credentials for a central GitHub App and creates short-lived access tokens with a configured scope based on a centrally configured OIDC configuration. See related changes which have been necessary for this repository: - https://github.com/gardener/.github-oidc/commit/b803037ebb6a67155888029d54231aee298a1e25 Signed-off-by: Jonas Brand (i538859) --- .github/workflows/build.yaml | 4 ++-- .github/workflows/non-release.yaml | 3 +-- .github/workflows/pullrequest-trust-helper.yaml.yml | 3 +-- .github/workflows/release.yaml | 6 ++---- 4 files changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a7b955e890..33eaec7046 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -16,10 +16,10 @@ jobs: uses: gardener/cc-utils/.github/workflows/prepare.yaml@master with: mode: ${{ inputs.mode }} - version-commit-callback-action-path: post-process: callback permissions: - contents: read + id-token: write + pull-requests: write # required until https://github.com/gardener/cc-utils/pull/1529 is merged oci-images: name: Build OCI-Images diff --git a/.github/workflows/non-release.yaml b/.github/workflows/non-release.yaml index 44c4a3c7e2..f5435f0c4f 100644 --- a/.github/workflows/non-release.yaml +++ b/.github/workflows/non-release.yaml @@ -19,7 +19,7 @@ jobs: mode: snapshot secrets: inherit permissions: - contents: write + contents: read packages: write id-token: write pull-requests: write @@ -29,7 +29,6 @@ jobs: uses: gardener/cc-utils/.github/workflows/post-build.yaml@master needs: - build - secrets: inherit permissions: id-token: write contents: write diff --git a/.github/workflows/pullrequest-trust-helper.yaml.yml b/.github/workflows/pullrequest-trust-helper.yaml.yml index a2a907eee8..a0b0b73c91 100644 --- a/.github/workflows/pullrequest-trust-helper.yaml.yml +++ b/.github/workflows/pullrequest-trust-helper.yaml.yml @@ -9,8 +9,7 @@ on: jobs: pullrequest-trusted-helper: permissions: - pull-requests: write - secrets: inherit # access to `GitHub-Actions`-App is needed to read teams + id-token: write uses: gardener/cc-utils/.github/workflows/pullrequest-trust-helper.yaml@master with: trusted-teams: 'test-infra-maintainers' diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3759b9d5ad..c0dbe69aa8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,8 +12,9 @@ on: jobs: build: uses: ./.github/workflows/build.yaml + secrets: inherit permissions: - contents: write + contents: read id-token: write packages: write pull-requests: write # required to remove labels @@ -24,7 +25,6 @@ jobs: uses: gardener/cc-utils/.github/workflows/release.yaml@master needs: - build - secrets: inherit permissions: contents: write id-token: write @@ -32,5 +32,3 @@ jobs: with: release-commit-target: branch next-version: ${{ inputs.next-version }} - next-version-callback-action-path: - slack-channel-id: