Switch to OIDC Federation Service instead of GitHub App

8R0WNI3 · 8R0WNI3 · commit 19eed8bc2508 · 2026-02-20T16:57:31.000+01:00
Currently, the [Gardener GitHub-Actions App](https://github.com/apps/gardener-github-actions) is used to provide more privileged access than available via the default `GITHUB_TOKEN`, for example to circumvent branch protection rules (GitHub Apps can be configured as bypassers) or cross repository privileges. To prevent sharing the GitHub App secret with each and every repository/workflow which requires usage of it, the [GitHub OIDC Federation Service](https://github.com/gardener/github-oidc-federation) has been developed. In essence, it holds the credentials for a central GitHub App and creates short-lived access tokens with a configured scope based on a centrally configured OIDC configuration. See related changes which have been necessary for this repository: - gardener/.github-oidc@6bedc95 Signed-off-by: Jonas Brand (i538859) <j.brand@sap.com>
diff --git a/.github/workflows/oci-images.yaml b/.github/workflows/oci-images.yaml
@@ -14,10 +14,7 @@ jobs:
   prepare:
     uses: gardener/cc-utils/.github/workflows/prepare.yaml@master
     permissions:
-      contents: read
-      packages: write
       id-token: write
-      pull-requests: write
     with:
       mode: ${{ inputs.mode }}
 
@@ -28,7 +25,6 @@ jobs:
       contents: read
       packages: write
       id-token: write
-      pull-requests: write
     uses: gardener/cc-utils/.github/workflows/oci-ocm.yaml@master
     secrets: inherit
     with:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -13,11 +13,11 @@ jobs:
 
   publish-oci:
     uses: ./.github/workflows/oci-images.yaml
+    secrets: inherit
     permissions:
       contents: read
       packages: write
       id-token: write
-      pull-requests: write
     needs:
       - test
     with:
@@ -29,11 +29,8 @@ jobs:
       contents: write
       packages: write
       id-token: write
-      pull-requests: write
     needs:
       - publish-oci
-    secrets:
-      github-app-secret-key: ${{ secrets.GARDENER_GITHUB_ACTIONS_PRIVATE_KEY }}
     with:
       release-commit-target: branch
       next-version: bump-patch
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -40,11 +40,11 @@ jobs:
   publish-oci:
     if: github.event_name == 'push' && github.repository == 'gardener/inventory'
     uses: ./.github/workflows/oci-images.yaml
+    secrets: inherit
     permissions:
       contents: read
       packages: write
       id-token: write
-      pull-requests: write
     needs:
       - test
     with:
