Switch to OIDC Federation Service instead of GitHub App

8R0WNI3 · 8R0WNI3 · commit f2f276c8e8b8 · 2026-02-20T14:39:06.000+01:00
Currently, the [Gardener GitHub-Actions App](https://github.com/apps/gardener-github-actions) is used to provide more privileged access than available via the default `GITHUB_TOKEN`, for example to circumvent branch protection rules (GitHub Apps can be configured as bypassers) or cross repository privileges. To prevent sharing the GitHub App secret with each and every repository/workflow which requires usage of it, the [GitHub OIDC Federation Service](https://github.com/gardener/github-oidc-federation) has been developed. In essence, it holds the credentials for a central GitHub App and creates short-lived access tokens with a configured scope based on a centrally configured OIDC configuration. See related changes which have been necessary for this repository: - gardener/.github-oidc@bddd726 Signed-off-by: Jonas Brand (i538859) <j.brand@sap.com>
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -16,9 +16,8 @@ jobs:
     uses: gardener/cc-utils/.github/workflows/prepare.yaml@master
     with:
       mode: ${{ inputs.mode }}
-      version-commit-callback-action-path:
     permissions:
-      contents: read
+      id-token: write
 
   build:
     needs:
@@ -137,6 +136,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      id-token: write
     strategy:
       matrix:
         args:
@@ -151,11 +151,11 @@ jobs:
           go-version: '1.22'
       - if: matrix.args.run == '.ci/e2e' || matrix.args.run == '.ci/integration-test'
         id: token
-        uses: actions/create-github-app-token@v2
+        uses: gardener/cc-utils/.github/actions/github-auth@master
         with:
-          app-id: ${{ vars.GARDENER_GITHUB_ACTIONS_APP_ID }}
-          private-key: ${{ secrets.GARDENER_GITHUB_ACTIONS_PRIVATE_KEY }}
-          owner: gardener
+          token-server: ${{ vars.FEDERATED_GITHUB_ACCESS_TOKEN_SERVER }}
+          permissions: |
+            contents: read
       - shell: bash
         run: |
           set -euo pipefail
diff --git a/.github/workflows/non-release.yaml b/.github/workflows/non-release.yaml
@@ -10,15 +10,14 @@ jobs:
       mode: snapshot
     secrets: inherit
     permissions:
-      contents: write
+      contents: read
       packages: write
       id-token: write
 
   component-descriptor:
     uses: gardener/cc-utils/.github/workflows/post-build.yaml@master
     needs:
       - build
-    secrets: inherit
     permissions:
       id-token: write
       contents: write
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -11,8 +11,9 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/build.yaml
+    secrets: inherit
     permissions:
-      contents: write
+      contents: read
       id-token: write
       packages: write
     with:
@@ -30,7 +31,6 @@ jobs:
     with:
       release-commit-target: branch
       next-version: ${{ inputs.next-version }}
-      next-version-callback-action-path:
       slack-channel-id: G01MH3C9UCS # #gardener-documentation
       assets: |
         - name: docforge-darwin-amd64
