Switch to OIDC Federation Service instead of GitHub App (#2794)

8R0WNI3 · web-flow · commit cfa8793dff68 · 2026-03-17T15:52:21.000Z
Currently, the [Gardener GitHub-Actions App](https://github.com/apps/gardener-github-actions) is used to provide more privileged access than available via the default `GITHUB_TOKEN`, for example to circumvent branch protection rules (GitHub Apps can be configured as bypassers) or cross repository privileges. To prevent sharing the GitHub App secret with each and every repository/workflow which requires usage of it, the [GitHub OIDC Federation Service](https://github.com/gardener/github-oidc-federation) has been developed. In essence, it holds the credentials for a central GitHub App and creates short-lived access tokens with a configured scope based on a centrally configured OIDC configuration. See related changes which have been necessary for this repository: - gardener/.github-oidc@1cc1fe4 Signed-off-by: Jonas Brand (i538859) <j.brand@sap.com>
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -19,8 +19,7 @@ jobs:
       version-commit-callback-action-path: .github/actions/prepare-release
       checkout-fetch-depth: 0
     permissions:
-      contents: read
-      pull-requests: write
+      id-token: write
 
   oci-images:
     name: Build OCI-Images
diff --git a/.github/workflows/cherry-pick-reusable.yaml b/.github/workflows/cherry-pick-reusable.yaml
@@ -11,13 +11,9 @@ on:
         description: 'The comment body containing cherry-pick commands'
         required: true
         type: string
-    secrets:
-      GARDENER_GITHUB_ACTIONS_PRIVATE_KEY:
-        description: 'Private key for the Gardener GitHub Actions app'
-        required: true
 
 permissions:
-  contents: none  # we rely on the GitHub App token instead
+  id-token: write # required for GitHub OIDC Federation Service token
 
 jobs:
   parse-branches:
@@ -26,12 +22,14 @@ jobs:
       branches: ${{ steps.parse.outputs.branches }}
       has-branches: ${{ steps.parse.outputs.has-branches }}
     steps:
-      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+      - uses: gardener/cc-utils/.github/actions/github-auth@master
         id: token
         with:
-          app-id: ${{ vars.GARDENER_GITHUB_ACTIONS_APP_ID }}
-          private-key: ${{ secrets.GARDENER_GITHUB_ACTIONS_PRIVATE_KEY }}
-          permission-pull-requests: write
+          token-server: ${{ vars.FEDERATED_GITHUB_ACCESS_TOKEN_SERVER }}
+          repositories: ${{ github.event.repository.name }}
+          permissions: |
+            contents: read
+            pull-requests: write
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.repository.default_branch }}
@@ -53,14 +51,15 @@ jobs:
         target-branch: ${{ fromJson(needs.parse-branches.outputs.branches) }}
       fail-fast: false
     steps:
-      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+      - uses: gardener/cc-utils/.github/actions/github-auth@master
         id: token
         with:
-          app-id: ${{ vars.GARDENER_GITHUB_ACTIONS_APP_ID }}
-          private-key: ${{ secrets.GARDENER_GITHUB_ACTIONS_PRIVATE_KEY }}
-          permission-contents: write
-          permission-pull-requests: write
-          permission-workflows: write
+          token-server: ${{ vars.FEDERATED_GITHUB_ACCESS_TOKEN_SERVER }}
+          repositories: ${{ github.event.repository.name }}
+          permissions: |
+            contents: write
+            pull-requests: write
+            workflows: write
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.repository.default_branch }}
@@ -77,12 +76,14 @@ jobs:
     needs: [parse-branches, cherry-pick]
     if: always() && needs.parse-branches.outputs.has-branches == 'true'
     steps:
-      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+      - uses: gardener/cc-utils/.github/actions/github-auth@master
         id: token
         with:
-          app-id: ${{ vars.GARDENER_GITHUB_ACTIONS_APP_ID }}
-          private-key: ${{ secrets.GARDENER_GITHUB_ACTIONS_PRIVATE_KEY }}
-          permission-pull-requests: write
+          token-server: ${{ vars.FEDERATED_GITHUB_ACCESS_TOKEN_SERVER }}
+          repositories: ${{ github.event.repository.name }}
+          permissions: |
+            contents: read
+            pull-requests: write
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.repository.default_branch }}
diff --git a/.github/workflows/cherry-pick.yaml b/.github/workflows/cherry-pick.yaml
@@ -5,7 +5,7 @@ on:
     types: [created]
 
 permissions:
-  contents: none  # we rely on the GitHub App token instead
+  id-token: write # required for GitHub OIDC Federation Service token
 
 jobs:
   cherry-pick:
@@ -21,5 +21,3 @@ jobs:
     with:
       pr-number: ${{ github.event.issue.number }}
       comment-body: ${{ github.event.comment.body }}
-    secrets:
-      GARDENER_GITHUB_ACTIONS_PRIVATE_KEY: ${{ secrets.GARDENER_GITHUB_ACTIONS_PRIVATE_KEY }}
diff --git a/.github/workflows/non-release.yaml b/.github/workflows/non-release.yaml
@@ -23,17 +23,15 @@ jobs:
       mode: snapshot
     secrets: inherit
     permissions:
-      contents: write
+      contents: read
       packages: write
       id-token: write
-      pull-requests: write
 
   component-descriptor:
     if: ${{ github.event_name != 'pull_request_target' || (github.event_name == 'pull_request_target' && github.event.label.name == vars.DEFAULT_LABEL_OK_TO_TEST && vars.DEFAULT_LABEL_OK_TO_TEST != '') }}
     uses: gardener/cc-utils/.github/workflows/post-build.yaml@master
     needs:
       - build
-    secrets: inherit
     permissions:
       id-token: write
       contents: write
diff --git a/.github/workflows/prepare-hotfix-branch.yaml b/.github/workflows/prepare-hotfix-branch.yaml
@@ -10,10 +10,6 @@ on:
         required: false
         type: string
         default: ''
-    secrets:
-      GARDENER_GITHUB_ACTIONS_PRIVATE_KEY:
-        description: "Private key for the Gardener GitHub Actions app"
-        required: true
   workflow_dispatch:
     inputs:
       tag:
@@ -27,7 +23,7 @@ on:
         default: .github/actions/prepare-hotfix
 
 permissions:
-  contents: none  # we rely on the GitHub App token instead
+  id-token: write # required for GitHub OIDC Federation Service token
 
 jobs:
   prepare-hotfix:
@@ -36,14 +32,15 @@ jobs:
       TAG: ${{ inputs.tag }}
     steps:
       - name: Create GitHub App token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf   # v2.2.1
+        uses: gardener/cc-utils/.github/actions/github-auth@master
         id: app-token
         with:
-          app-id: ${{ vars.GARDENER_GITHUB_ACTIONS_APP_ID }}
-          private-key: ${{ secrets.GARDENER_GITHUB_ACTIONS_PRIVATE_KEY }}
-          permission-contents: write
-          permission-pull-requests: write
-          permission-workflows: write
+          token-server: ${{ vars.FEDERATED_GITHUB_ACCESS_TOKEN_SERVER }}
+          repositories: ${{ github.event.repository.name }}
+          permissions: |
+            contents: write
+            pull-requests: write
+            workflows: write
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -12,11 +12,11 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/build.yaml
+    secrets: inherit
     permissions:
-      contents: write
+      contents: read
       id-token: write
       packages: write
-      pull-requests: write
     with:
       mode: release
 
