Beyond the OIDC Silver Bullet: Why "Keyless" GitHub Actions Aren't Enough
· 19 min read
If you've modernized a CI/CD pipeline in the last couple of years, you've heard the gospel of OpenID Connect: stop hardcoding long-lived AWS IAM keys in your repository secrets. Your workflow requests a short-lived token, the cloud verifies the claims, you deploy. It's a real upgrade. It's also where most teams stop thinking, and that's the problem.