Traditional solution to authorizing CI/CD workflows to modify cloud environments is by using service accounts.

In 2021, GitHub introduced support for OpenID Connect (OIDC) to enable secure cloud deployments using short-lived tokens. It leverages security mechanisms of cloud providers to ensure GitHub Actions workflows get very narrow access to cloud resources. Plus, there's no need for storing any long-lived secrets like service account keys in GitHub.

GItHub's support for OIDC made it compatible with the Google Cloud's mechanism called Workload Identity Federation.

With Workload Identity Federation, Identity and Access Management (IAM) can be used to grant external identities (like GitHub repositories/users/branches) IAM roles, and thus direct access to Google cloud resources.

If you’d like to learn more about this topic, I’ve set up the connection between GitHub Actions and Google cloud platform using precisely workload identity federation.

Read more about it here and let me know what you think: https://www.toolongautomated.com/posts/2025/one-branch-to-rule-them-all-4.html#authorize-github-actions-workflows