What is the nature and description of the request?

We are requesting that the Ansible Galaxy platform (upstream) add support for OIDC-based trusted publishing for Ansible Collections.
This would allow CI workflows (for example, GitHub Actions) to publish collections to Galaxy by exchanging an OIDC identity token for a short-lived publishing credential, instead of requiring long-lived Galaxy API tokens stored as secrets.

This improves security (no static secrets), reduces operational burden (no secret rotation/management), and aligns Galaxy with modern supply-chain best practices already adopted by other package ecosystems.

Why does the customer need this? (List the business requirements here)

• Eliminate long-lived secrets (Galaxy tokens) from CI/CD pipelines to reduce risk of leakage.

• Reduce secret management overhead (creation, storage, rotation, auditing).

• Improve supply-chain security posture by using short-lived, identity-bound credentials and removing static tokens from repositories and CI systems.

• Align with industry direction: PyPI (Python) and Cargo (Rust) already support trusted publishing patterns; other registries (e.g., Docker Hub) have indicated plans to adopt similar approaches.

• Align with OpenSSF guidance: supports the highest authorization maturity expectations (OpenSSF Principles for Package Repository Security — Level 3).

How would you like to achieve this? (List the functional requirements here)

• Add a Trusted Publisher configuration in Ansible Galaxy where a collection owner/maintainer can bind publishing rights to:

• • GitHub repository (org/repo)

• • Optional: environment (e.g., release), branch/tag constraints, workflow filename, and/or required claims

• Support OIDC token exchange flow for publishing:

• • CI obtains an OIDC token from GitHub Actions (id-token: write)

• • Galaxy validates issuer (https://token.actions.githubusercontent.com), audience, and repository-related claims

• • Galaxy issues a short-lived publishing token/session scoped to the specific collection(s)

• Provide auditing/logging:

• • Record publisher identity (repo/workflow), time, collection version, and result

• Backward compatibility:

• • Keep existing token-based publishing as an option, but recommend OIDC as preferred method

• Documentation updates:

• • Step-by-step guide for GitHub Actions setup and Galaxy-side trusted publisher configuration

• • Security rationale and troubleshooting section

List any affected known dependencies: Doc, UI etc..

• Galaxy UI: new “Trusted Publishing / Publishers” configuration screen for a namespace/collection

• Galaxy API: endpoints for publisher registration + OIDC token exchange + publish authorization

• AuthN/AuthZ service changes: verification of OIDC tokens and claim validation

• Documentation: Galaxy publishing documentation; examples for GitHub Actions

• Release notes and potentially migration guidance for maintainers currently using API tokens

Github Link if any