From 3add6b6698c29944850289382ca01159765d1308 Mon Sep 17 00:00:00 2001 From: "Jonas Brand (i538859)" Date: Fri, 20 Feb 2026 08:17:37 +0100 Subject: [PATCH 1/3] Switch to OIDC Federation Service instead of GitHub App Currently, the [Gardener GitHub-Actions App](https://github.com/apps/gardener-github-actions) is used to provide more privileged access than available via the default `GITHUB_TOKEN`, for example to circumvent branch protection rules (GitHub Apps can be configured as bypassers) or cross repository privileges. To prevent sharing the GitHub App secret with each and every repository/workflow which requires usage of it, the [GitHub OIDC Federation Service](https://github.com/gardener/github-oidc-federation) has been developed. In essence, it holds the credentials for a central GitHub App and creates short-lived access tokens with a configured scope based on a centrally configured OIDC configuration. See related changes which have been necessary for this repository: - https://github.com/gardener/.github-oidc/commit/6653fe19ffdbf66f92b20b5e59afd8c0a2da0ebb Signed-off-by: Jonas Brand (i538859) --- .github/workflows/build.yaml | 2 +- .github/workflows/non-release.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 393a53d93..337748255 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -18,7 +18,7 @@ jobs: mode: ${{ inputs.mode }} version-commit-callback-action-path: permissions: - contents: read + id-token: write oci-images: name: Build OCI-Images diff --git a/.github/workflows/non-release.yaml b/.github/workflows/non-release.yaml index 7ac3f6cca..e1c01c651 100644 --- a/.github/workflows/non-release.yaml +++ b/.github/workflows/non-release.yaml @@ -18,7 +18,6 @@ jobs: uses: gardener/cc-utils/.github/workflows/post-build.yaml@master needs: - build - secrets: inherit permissions: id-token: write contents: write From f20e1fb472634e23b90a18cc98b266347bb9f6dd Mon Sep 17 00:00:00 2001 From: "Jonas Brand (i538859)" Date: Fri, 20 Feb 2026 08:18:47 +0100 Subject: [PATCH 2/3] chore: Drop empty inputs Signed-off-by: Jonas Brand (i538859) --- .github/workflows/build.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 337748255..2aa9bdb9f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -16,7 +16,6 @@ jobs: uses: gardener/cc-utils/.github/workflows/prepare.yaml@master with: mode: ${{ inputs.mode }} - version-commit-callback-action-path: permissions: id-token: write @@ -53,7 +52,6 @@ jobs: oci-repository: ${{ matrix.args.oci-repository }} oci-platforms: linux/amd64,linux/arm64 ocm-labels: ${{ toJSON(matrix.args.ocm-labels) }} - extra-tags: sast-lint: uses: gardener/cc-utils/.github/workflows/sastlint-ocm.yaml@master From 596d2731c67fbbb5ac48882aaa493e06738580ed Mon Sep 17 00:00:00 2001 From: "Jonas Brand (i538859)" Date: Fri, 20 Feb 2026 08:18:55 +0100 Subject: [PATCH 3/3] Streamline GHA permissions and secrets Signed-off-by: Jonas Brand (i538859) --- .github/workflows/non-release.yaml | 2 +- .github/workflows/release.yaml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/non-release.yaml b/.github/workflows/non-release.yaml index e1c01c651..14a687882 100644 --- a/.github/workflows/non-release.yaml +++ b/.github/workflows/non-release.yaml @@ -10,7 +10,7 @@ jobs: mode: snapshot secrets: inherit permissions: - contents: write + contents: read packages: write id-token: write diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9b880070f..847714333 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,8 +12,9 @@ on: jobs: build: uses: ./.github/workflows/build.yaml + secrets: inherit permissions: - contents: write + contents: read id-token: write packages: write with: