Isolated, ephemeral builders are table stakes for a secure build system, which is why people are turning to cloud CI/CD solutions like Tekton, GCP Cloud Build, or GitHub Actions. Moving your build to the cloud isn't all roses though, as existing build processes often rely on access to infrastructure on prem or in another cloud provider. In the past year, cloud CI/CD systems have added OIDC as a way to provide that access. This is quite different than an end-user OAuth2 flow, so we'll go over what it looks like, common security pitfalls, and how to avoid them. We'll then take it a step further, and show how the open source sigstore project can use OIDC to attest to the build process, and even sign your builds without managing a private key.

Slides