OIDC is the right call for cloud provider credentials like AWS, GCP, Azure all support it well and short lived tokens are genuinely better than static keys.

The gap is third party APIs. OpenAI, Stripe, Anthropic, GitHub. None of them support OIDC. You still end up with a static API key that has to exist somewhere in the pipeline as a plaintext string. That is exactly what the Trivy payload targeted.