diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4e309e41f77b1f93c6d7bad2518eee39b019f522..8183c0667058f780244b4d931bd903d7465d465c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## [7.8.2](https://gitlab.com/to-be-continuous/python/compare/7.8.1...7.8.2) (2025-02-03)
+
+
+### Bug Fixes
+
+* **gcp:** reduce scope of GCP App Default Creds script to template ([829bfce](https://gitlab.com/to-be-continuous/python/commit/829bfceffe3a2e097914c719d4a4488d544be7ab))
+
 ## [7.8.1](https://gitlab.com/to-be-continuous/python/compare/7.8.0...7.8.1) (2025-01-31)
 
 
diff --git a/README.md b/README.md
index 5bf7bc0620a5b9c5f220a110001749e24fa9b295..ee8a3617e3a63642b82e0653c6f6b8971467dc7f 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
   # 1: include the component
-  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python@7.8.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python@7.8.2
     # 2: set/override component inputs
     inputs:
       image: registry.hub.docker.com/library/python:3.12-slim
@@ -29,7 +29,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
   # 1: include the template
   - project: 'to-be-continuous/python'
-    ref: '7.8.1'
+    ref: '7.8.2'
     file: '/templates/gitlab-ci-python.yml'
 
 variables:
@@ -563,9 +563,9 @@ With:
 ```yaml
 include:
   # main component
-  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python@7.8.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python@7.8.2
   # Vault variant
-  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python-vault@7.8.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python-vault@7.8.2
     inputs:
       vault-base-url: "https://vault.acme.host/v1"
       # audience claim for JWT
@@ -604,13 +604,13 @@ The variant requires the additional configuration parameters:
 
 ```yaml
 include:
-  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python@7.8.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python@7.8.2
     # 2: set/override component inputs
     inputs:
       image: registry.hub.docker.com/library/python:3.12-slim
       pytest-enabled: true
 
-  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python-gcp@7.8.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python-gcp@7.8.2
     inputs:
       # common OIDC config for non-prod envs
       gcp-oidc-provider: "projects/<gcp_nonprod_proj_id>/locations/global/workloadIdentityPools/<pool_id>/providers/<provider_id>"
@@ -670,13 +670,13 @@ then set the required configuration.
 
 ```yaml
 include:
-  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python@7.8.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python@7.8.2
     # 2: set/override component inputs
     inputs:
       image: registry.hub.docker.com/library/python:3.12-slim
       pytest-enabled: true
 
-  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python-aws-codeartifact@7.8.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python-aws-codeartifact@7.8.2
     inputs:
       aws-region: "us-east-1"
       aws-codeartifact-domain: "acme"
diff --git a/templates/gitlab-ci-python-gcp.yml b/templates/gitlab-ci-python-gcp.yml
index 1166426546b0f35991ea4a9ece9bb67c581ad1a6..091c8396fdc599cba9782636a531cc62d62b37f8 100644
--- a/templates/gitlab-ci-python-gcp.yml
+++ b/templates/gitlab-ci-python-gcp.yml
@@ -42,7 +42,7 @@ variables:
   image: $PYTHON_IMAGE
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "python", "7.8.1"]
+      command: ["--service", "python", "7.8.2"]
   id_tokens:
     GCP_JWT:
       aud: "$GCP_OIDC_AUD"
diff --git a/templates/gitlab-ci-python-vault.yml b/templates/gitlab-ci-python-vault.yml
index d5d474132d86c2659896f42f4670f724dcd04333..11549bc583b9c95c34c19305f251007a26e5b7ef 100644
--- a/templates/gitlab-ci-python-vault.yml
+++ b/templates/gitlab-ci-python-vault.yml
@@ -22,7 +22,7 @@ variables:
 .python-base:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "python", "7.8.1"]
+      command: ["--service", "python", "7.8.2"]
     - name: "$TBC_VAULT_IMAGE"
       alias: "vault-secrets-provider"
   variables:
diff --git a/templates/gitlab-ci-python.yml b/templates/gitlab-ci-python.yml
index 96c2b2a40fe1f7b69fcd146e1abcb61aae4a78cd..257bd3dc6ea881343e690e166eed62cc275908e5 100644
--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml
@@ -979,7 +979,7 @@ stages:
   image: $PYTHON_IMAGE
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "python", "7.8.1"]
+      command: ["--service", "python", "7.8.2"]
   variables:
     # set local cache dir; most Python tools honour XDG specs
     XDG_CACHE_HOME: "$CI_PROJECT_DIR/.cache"