• What is the nature and description of the request?

The request is for native support of OpenID Connect (OIDC) authentication,  for programmatic access to the Private Automation Hub (AH) API specifically for pushing/syncing collections and execution environments from a CI/CD pipeline (e.g., GitHub Actions, GitLab CI).

Currently, M2M access for content pushes requires generating and managing long-lived, static Personal Access Tokens (PATs) or utilizing shared service account credentials.

• Why does the customer need this? (List the business requirements here)

1. Eliminate Security Risk: Remove the dependency on static, long-lived PATs/tokens, which pose a significant security risk if compromised, and are a source of compliance concern for auditing teams.

1. Improve Auditability: Ensure that every content push is authenticated using a verifiable identity (e.g., a short-lived token tied to a specific CI/CD job run/repository), improving the audit trail for "who" pushed "what" and "when."

1. Reduce Operational Overhead: Eliminate the manual and cumbersome processes of creating, securely injecting, and rotating tokens for numerous pipelines (token sprawl).

1. Enforce Least Privilege: Enable M2M tokens to be strictly scoped (e.g., restricted to pushing only to a single AH namespace) to minimize the impact of a compromised credential.

• How would you like to achieve this? (List the functional requirements here)

Leaving this section to Engineering

• List any affected known dependencies: Doc, UI etc..

Documentation: Comprehensive guides for integrating with major CI/CD providers (GitHub Actions, GitLab, Azure DevOps) using OIDC.

API : this may require a new authentication endpoint

CLI: Ensure the existing ansible-galaxy can authenticate with OIDC when pushing content. 

• Github Link if any