[wernerb]

Regarding GitHub actions and it's secret manager. Any decently organized company would do well to stay away from well known secret interfaces. Instead use oidc auth to fetch secrets just in time, all short-lived for the duration of the pipeline.

[Rial_Labs]

OIDC is the right call for cloud provider credentials like AWS, GCP, Azure all support it well and short lived tokens are genuinely better than static keys.

The gap is third party APIs. OpenAI, Stripe, Anthropic, GitHub. None of them support OIDC. You still end up with a static API key that has to exist somewhere in the pipeline as a plaintext string. That is exactly what the Trivy payload targeted.