Build a GitHub Actions composite action that wraps OIDC credential exchange, caches the token in workflow-level outputs, and is consumed by multiple jobs without re-authenticating

Verified steps

1. Create an action.yml in a shared repository defining a composite action with inputs for cloud provider, role ARN, and session duration; add a step that calls the cloud OIDC token exchange action and sets the resulting credentials as step outputs
2. In the composite action, write the credentials to GITHUB_OUTPUT so callers can reference them via needs.<job>.outputs or steps.<id>.outputs
3. Reference the composite action from a reusable workflow using uses: org/repo/path@ref and pass required inputs; propagate outputs back through the workflow_call outputs block
4. In the consuming workflow, set permissions: id-token: write at the job level and pass environment inputs so the composite action can select the correct role per environment
5. Add an OIDC audience override input so the same composite action can target AWS, GCP, and Azure endpoints by varying the audience claim without forking
6. Test that token expiry is handled by wrapping downstream steps in a retry composite step and verifying that a re-auth step fires when the cloud SDK reports expired credentials