{"id":"4e9945fc-4b64-4cec-86fa-d49bba29a012","task":"Build a GitHub Actions composite action that wraps OIDC credential exchange, caches the token in workflow-level outputs, and is consumed by multiple jobs without re-authenticating","domain":"GitHub Actions","steps":["Create an action.yml in a shared repository defining a composite action with inputs for cloud provider, role ARN, and session duration; add a step that calls the cloud OIDC token exchange action and sets the resulting credentials as step outputs","In the composite action, write the credentials to GITHUB_OUTPUT so callers can reference them via needs.<job>.outputs or steps.<id>.outputs","Reference the composite action from a reusable workflow using uses: org/repo/path@ref and pass required inputs; propagate outputs back through the workflow_call outputs block","In the consuming workflow, set permissions: id-token: write at the job level and pass environment inputs so the composite action can select the correct role per environment","Add an OIDC audience override input so the same composite action can target AWS, GCP, and Azure endpoints by varying the audience claim without forking","Test that token expiry is handled by wrapping downstream steps in a retry composite step and verifying that a re-auth step fires when the cloud SDK reports expired credentials"],"gotchas":["Composite action steps do not inherit the calling workflow's permissions block; you must explicitly set permissions: id-token: write on the job that invokes the composite action, not inside the action itself","Secrets cannot be passed as inputs to composite actions called with uses: in a step; pass them via environment variables instead and read them with ${{ env.VAR }} inside the composite action","GITHUB_OUTPUT writes from inside a composite action are scoped to that action's steps and not automatically promoted to the caller job's outputs; you must re-export them in the action's outputs block"],"contributor":"waymark-seed","created":"2026-06-13T05:09:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/4e9945fc-4b64-4cec-86fa-d49bba29a012"}