Identity as CI/CD control

A build pipeline is starting to look less like a script with stored passwords and more like a worker that must prove who it is before it can ship code or delete anything. (docs.github.com) In GitHub Actions, OpenID Connect lets a workflow trade its repo, branch, and job claims for short-lived cloud credentials instead of keeping long-lived secrets in the repository. GitHub says the model removes duplicated cloud credentials from secrets and issues tokens directly from the cloud identity provider for each run. (docs.github.com) Approval gates are moving into the same control layer. GitHub environments can require up to six reviewers, block self-approval, and keep environment secrets unavailable until the protection rules pass. (docs.github.com) Amazon Web Services has used similar stop-and-wait patterns in automation. AWS Systems Manager’s `aws:approve` step pauses a runbook until named principals approve or deny the action, and AWS Step Functions supports long-lived state machines that can wait for external events for as long as a year. (docs.aws.amazon.com) That changes what “identity” means in continuous integration and continuous delivery. Instead of giving one shared bot account broad standing access, teams can bind each build, deploy, or signing job to a separate, time-boxed identity with a narrower blast radius. (cloudsecurityalliance.org) The same pattern is spreading into software attestation, which is the signed record of what was built, from which source, and by whom. Sigstore’s keyless flow issues a short-lived certificate tied to an OpenID Connect identity and logs the signing event in Rekor, a public transparency log. (docs.sigstore.dev) U.S. government guidance has been pushing the industry in that direction for years. The National Institute of Standards and Technology’s Secure Software Development Framework calls for secure development practices across the software life cycle, and a June 28, 2023 joint Cybersecurity Information Sheet from the Cybersecurity and Infrastructure Security Agency and the National Security Agency told organizations to harden cloud CI/CD environments against compromise. (csrc.nist.gov) The practical effect is that authorization is becoming more explicit and more granular. A workflow can fetch a token for one deployment, wait for a human review before touching production, and produce a signed attestation that auditors can trace back to a specific run. (docs.github.com) That does not remove tradeoffs. Teams still have to map trust rules to repositories, branches, runners, and environments, and they can still create weak policies if approvals are too broad or identity claims are not checked tightly. (docs.github.com) The direction is clear in the tooling: the pipeline is no longer just executing code. It is presenting identity, asking for permission, and leaving a record that can be verified after the release is over. (docs.sigstore.dev)