Create two service accounts, one for the infrastructure and one for the application deployment.

Use workload identities to let the pods run the two pipelines and authenticate with the service accounts.

Run the infrastructure and application pipelines in separate namespaces.

Create a dedicated service account for the CI/CD pipelines.

Run the deployment pipelines in a dedicated nodes pool in the GKE cluster.

Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs.

Create individual service accounts for each deployment pipeline.

Add an identifier for the pipeline in the service account naming convention.

Ensure each pipeline runs on dedicated pods.

Use workload identity to map a deployment pipeline pod with a service account.

Create service accounts for each deployment pipeline.

Generate private keys for the service accounts.

Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline.