Supporting OpenID Connect (OIDC)-based trusted publishing would enable Ansible Collection developers to publish directly from GitHub workflows without storing long-lived API tokens or secrets. This tokenless approach would significantly reduce secret management overhead, minimize rotation efforts, and substantially improve overall security by eliminating a common attack vector.
The current requirement to store long-lived Galaxy API tokens in GitHub Secrets creates persistent risks. If these secrets are compromised—through phishing, malware, leaked repositories, or supply chain attacks—attackers gain indefinite ability to publish malicious versions of collections. Similar incidents have already caused major damage in other package ecosystems:
- In 2018, a maintainer’s compromised npm account led to a malicious version of the popular
eslint-scopepackage being published, which attempted to exfiltrate users’ npm credentials. - In 2021, the widely used
ua-parser-jsnpm library was hijacked after the maintainer’s account was compromised, resulting in malicious versions that installed cryptominers and password-stealing malware on Linux and Windows systems. - Throughout 2025, multiple large-scale npm supply chain attacks involved stolen publishing tokens or compromised accounts, enabling attackers to publish trojanized versions of popular packages (e.g., Nx, Chalk, and others), affecting thousands of downstream projects.
These real-world compromises demonstrate how long-lived credentials become high-value targets and enable attackers to inject malicious code directly into trusted packages.
Several other platforms have already adopted or are adopting OIDC-based trusted publishing to address exactly these risks:
- PyPI supports Trusted Publishers for tokenless publishing from GitHub Actions and other providers.
- Cargo (Rust crates) has implemented a similar trusted publishing model.
- Docker Hub has expressed intent to add this capability.
Additionally, this approach aligns with Level 3 (the highest level) of authorization security in the OpenSSF’s Principles for Package Repository Security.
By implementing OIDC trusted publishing, Ansible Galaxy would bring its publishing workflow in line with modern security best practices, reduce the attack surface for collection maintainers, and help protect the broader Ansible community from supply chain compromises.
Would the Ansible Galaxy team consider adding support for this feature to make the platform more secure and developer-friendly?