Switch to OIDC Federation Service instead of GitHub App

[8R0WNI3]

What this PR does / why we need it:
Currently, the Gardener GitHub-Actions App is used to provide more privileged access than available via the default GITHUB_TOKEN, for example to circumvent branch protection rules (GitHub Apps can be configured as bypassers) or cross repository privileges. To prevent sharing the GitHub App secret with each and every repository/workflow which requires usage of it, the GitHub OIDC Federation Service has been developed. In essence, it holds the credentials for a central GitHub App and creates short-lived access tokens with a configured scope based on a centrally configured OIDC configuration. See related changes which have been necessary for this repository:

• https://github.com/gardener/.github-oidc/commit/1cc1fe4d81a16f6c7174fe8c9e802e85727caced

Special notes for your reviewer:
This change requires the organisation variable FEDERATED_GITHUB_ACCESS_TOKEN_SERVER to be made accessible to this repository first.

Release note:

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD security infrastructure through updated authentication methods across build and deployment workflows
  • Streamlined GitHub Actions permission configurations for improved operational efficiency

[coderabbitai]

📝 Walkthrough

Walkthrough

Multiple GitHub workflow files are updated to migrate from GitHub App token-based authentication using private keys to OIDC federated token-based authentication. Permission configurations are adjusted across workflows to enable id-token: write for OIDC token generation, and fine-grained permission scopes are refined.

Changes

Cohort / File(s)	Summary
OIDC Token Authentication Migration .github/workflows/cherry-pick-reusable.yaml, .github/workflows/cherry-pick.yaml, .github/workflows/prepare-hotfix-branch.yaml	Replaces GitHub App token flow (actions/create-github-app-token with app-id and private-key inputs) with OIDC federated authentication (gardener/cc-utils/.github/actions/github-auth). Updates top-level permissions from contents: none to id-token: write and adds job-specific permissions blocks defining contents, pull-requests, and workflows scopes. Removes GARDENER_GITHUB_ACTIONS_PRIVATE_KEY secret references.
Permission Configuration Updates .github/workflows/build.yaml, .github/workflows/non-release.yaml, .github/workflows/release.yaml	Adjusts workflow permissions: build.yaml replaces contents: read and pull-requests: write with id-token: write; non-release.yaml changes build job permissions from contents write to read and removes pull-requests write; release.yaml adds secrets: inherit to build job while changing contents from write to read and removing pull-requests write.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 From private keys locked away so tight,
To OIDC tokens dancing in the light!
GitHub Auth leaps through federation's door,
Workflows secure, with less burden than before! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: replacing GitHub App authentication with OIDC Federation Service across all affected workflows.
Description check	✅ Passed	The description covers all required sections: what/why (federated token approach), related changes (linked commit), special notes (organization variable requirement), and release note (bugfix user).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 8R0WNI3-github-oidc

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gardener-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign petersutter for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/cherry-pick.yaml (1)

12-13: Workflow is disabled by false && condition.

The cherry-pick workflow is effectively disabled with false && at the start of the condition. Is this intentional for the migration period, or should this be addressed in a follow-up?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cherry-pick.yaml around lines 12 - 13, The workflow
condition starts with the literal `false &&`, which disables the entire
cherry-pick workflow; remove the `false &&` prefix from the `if:` expression (or
replace it with the intended boolean or environment/secret check) so the
workflow can run, or if this is intentionally temporary add an explicit comment
and a TODO and ensure the real condition (e.g., `github.event_name == 'push'` or
the intended env var check) replaces `false &&` before merging; change the `if:`
expression where `false &&` appears to implement the desired behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/cherry-pick.yaml:
- Around line 12-13: The workflow condition starts with the literal `false &&`,
which disables the entire cherry-pick workflow; remove the `false &&` prefix
from the `if:` expression (or replace it with the intended boolean or
environment/secret check) so the workflow can run, or if this is intentionally
temporary add an explicit comment and a TODO and ensure the real condition
(e.g., `github.event_name == 'push'` or the intended env var check) replaces
`false &&` before merging; change the `if:` expression where `false &&` appears
to implement the desired behavior.

[gardener-robot]

@holgerkoser, @grolu, @klocke-io You have pull request review open invite, please check