# GitHub Actions OIDC Federation: Stability and Performance Improvements

OIDC federation between GitHub Actions and Takumi Guard / Shisho Cloud now operates reliably even when connectivity to GitHub is unstable.

## Overview {#overview}

The GitHub Actions that Takumi Guard provides (e.g. `flatt-security/setup-takumi-guard-npm`) and the [Shisho Cloud Action](https://github.com/flatt-security/shisho-cloud-action) use the OIDC token issued by the GitHub Actions runner at runtime to obtain Shisho Cloud / Takumi credentials. To verify that token's signature, the exchange briefly reaches the GitHub-hosted endpoint `token.actions.githubusercontent.com`.

On 2026-05-19 we observed periods during which our token-exchange service could not intermittently reach the GitHub endpoint above. As a result, we confirmed that some customer GitHub Actions workflows ran into authentication errors.

This release improves the network configuration and the cache logic for the JWKS (JSON Web Key Set) served by `token.actions.githubusercontent.com`. As a result, transient connectivity failures between the two endpoints are far less likely to surface as workflow failures.

## Action Required {#action-required}

No action is required on your side.
All workflows using `flatt-security/shisho-cloud-action` or any of the `flatt-security/setup-takumi-guard-*` Actions automatically receive this improvement.

## Additional Notes

If you continue to see unstable behaviour, please reach out to [Support](/docs/contact) with as much relevant information as possible.