OIDC represents a big improvement in terms of security by reducing the risk of leaked credentials, and at polyseam/cndi we want to bring that value to our users.
In our integration with AWS we are able to specify a trust policy which grants OIDC access for all repos in a given GitHub Organization using a wildcard pattern.
Creating a new OIDC app registration for every repo is such a manual process that I don't think it is sufficiently easy to adopt, and our users will likely continue to use API credentials instead - unless support for wildcard patterns can be added.
petr-stupka
commented
1 month ago
OIDC represents a big improvement in terms of security by reducing the risk of leaked credentials, and at polyseam/cndi we want to bring that value to our users.
In our integration with AWS we are able to specify a trust policy which grants OIDC access for all repos in a given GitHub Organization using a wildcard pattern.
Creating a new OIDC app registration for every repo is such a manual process that I don't think it is sufficiently easy to adopt, and our users will likely continue to use API credentials instead - unless support for wildcard patterns can be added.