This article discusses DigitalOcean's approach to securing Continuous Integration/Continuous Deployment (CI/CD) pipelines through GitHub Actions, OpenID Connect (OIDC), and HashiCorp Vault. It explains how to create fine-grained Vault roles using GitHub OIDC authentication, which enables a "credentials-free" experience for development teams in deployment pipelines. The article covers five real-world developer use cases, including testing pull requests, continuous deployments, staging and production environments, monorepos, and reusable workflows. It also introduces a paved path tooling approach to simplify the process of creating Vault roles and provides an open-source Terraform module to assist organizations with configuring GitHub OIDC authentication to Vault. The article emphasizes the importance of security initiatives solving problems for developers, not introducing them, and highlights DigitalOcean's commitment to building developer-first approaches to security and secrets management.