GitHub Actions OIDC Federation: Stability and Performance Improvements

OIDC federation between GitHub Actions and Takumi Guard / Shisho Cloud now operates reliably even when connectivity to GitHub is unstable.

Overview

The GitHub Actions that Takumi Guard provides (e.g. flatt-security/setup-takumi-guard-npm) and the Shisho Cloud Action use the OIDC token issued by the GitHub Actions runner at runtime to obtain Shisho Cloud / Takumi credentials. To verify that token's signature, the exchange briefly reaches the GitHub-hosted endpoint token.actions.githubusercontent.com.

On 2026-05-19 we observed periods during which our token-exchange service could not intermittently reach the GitHub endpoint above. As a result, we confirmed that some customer GitHub Actions workflows ran into authentication errors.

This release improves the network configuration and the cache logic for the JWKS (JSON Web Key Set) served by token.actions.githubusercontent.com. As a result, transient connectivity failures between the two endpoints are far less likely to surface as workflow failures.

Action Required

No action is required on your side. All workflows using flatt-security/shisho-cloud-action or any of the flatt-security/setup-takumi-guard-* Actions automatically receive this improvement.

Additional Notes

If you continue to see unstable behaviour, please reach out to Support with as much relevant information as possible.