diff --git a/.github/workflows/custard-run-dev.yaml b/.github/workflows/custard-run-dev.yaml
index fec32e468d..2f4a8dce47 100644
--- a/.github/workflows/custard-run-dev.yaml
+++ b/.github/workflows/custard-run-dev.yaml
@@ -80,14 +80,25 @@ jobs:
           name: (experimental / dev) Custard CI / ${{ github.job }} (${{ matrix.path }})
           job-name: ${{ github.job }} (${{ matrix.path }})
           if: ${{ !!github.event.workflow_run }}
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Authenticate
+        uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
+        id: auth
+        with:
+          project_id: ${{ env.GOOGLE_SAMPLES_PROJECT }}
+          workload_identity_provider: projects/1046198160504/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
+          service_account: ${{ env.GOOGLE_SERVICE_ACCOUNT }}
+          access_token_lifetime: 600s # 10 minutes
+          token_format: id_token
+          id_token_audience: https://action.test/ # service must have this custom audience
+          id_token_include_email: true
       - name: Setup Custard
         uses: GoogleCloudPlatform/cloud-samples-tools/actions/steps/setup-custard@9ee708234e240605d96e78f652c333ed6aa95a23 # v0.3.2
         with:
           path: ${{ matrix.path }}
           ci-setup: ${{ toJson(fromJson(needs.affected.outputs.ci-setups)[matrix.path]) }}
-          project-id: ${{ env.GOOGLE_SAMPLES_PROJECT }}
-          workload-identity-provider: projects/1046198160504/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
-          service-account: ${{ env.GOOGLE_SERVICE_ACCOUNT }}
+          id-token: ${{ steps.auth.outputs.id_token }}
       - name: Check in_progress
         uses: GoogleCloudPlatform/cloud-samples-tools/actions/steps/update-check@9ee708234e240605d96e78f652c333ed6aa95a23 # v0.3.2
         id: in_progress
diff --git a/.github/workflows/custard-run.yaml b/.github/workflows/custard-run.yaml
index 0d4fe08c32..91b28a0c94 100644
--- a/.github/workflows/custard-run.yaml
+++ b/.github/workflows/custard-run.yaml
@@ -124,14 +124,25 @@ jobs:
           name: (experimental) Custard CI / ${{ github.job }} (${{ matrix.path }})
           job-name: ${{ github.job }} (${{ matrix.path }})
           if: ${{ !!github.event.workflow_run }}
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Authenticate
+        uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
+        id: auth
+        with:
+          project_id: ${{ env.GOOGLE_SAMPLES_PROJECT }}
+          workload_identity_provider: projects/1046198160504/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
+          service_account: ${{ env.GOOGLE_SERVICE_ACCOUNT }}
+          access_token_lifetime: 600s # 10 minutes
+          token_format: id_token
+          id_token_audience: https://action.test/ # service must have this custom audience
+          id_token_include_email: true
       - name: Setup Custard
         uses: GoogleCloudPlatform/cloud-samples-tools/actions/steps/setup-custard@9ee708234e240605d96e78f652c333ed6aa95a23 # v0.3.2
         with:
           path: ${{ matrix.path }}
           ci-setup: ${{ toJson(fromJson(needs.affected.outputs.ci-setups)[matrix.path]) }}
-          project-id: ${{ env.GOOGLE_SAMPLES_PROJECT }}
-          workload-identity-provider: projects/1046198160504/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
-          service-account: ${{ env.GOOGLE_SERVICE_ACCOUNT }}
+          id-token: ${{ steps.auth.outputs.id_token }}
       - name: Check in_progress
         uses: GoogleCloudPlatform/cloud-samples-tools/actions/steps/update-check@9ee708234e240605d96e78f652c333ed6aa95a23 # v0.3.2
         id: in_progress