Deploy on push to main via GitHub OIDC instead of VOID_TOKEN#55
Conversation
Bump void to 0.10.2, whose `void deploy` auto-exchanges a GitHub OIDC token for a short-lived project-scoped deploy token when the workflow grants id-token: write, so the push-to-main deploys no longer need the long-lived VOID_TOKEN secret. The Void platform only honors the exchange from a workflow file named exactly .github/workflows/void-deploy.yml, so deploy.yml is renamed. The PR staging deploy (staging.yml) keeps VOID_TOKEN: the platform rejects the OIDC exchange for pull_request events since they run untrusted code. Do not merge before both projects are connected with `void github connect <project> --repo voidzero-dev/pkg-pr-registry-bridge --branch main --executor github_actions`, otherwise push-to-main deploys fail the exchange with a 401.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Bumps void to 0.10.2 and switches the push-to-main deploy workflow to the new GitHub OIDC flow:
void deployexchanges a short-lived OIDC token for a project-scoped deploy token, so the workflow no longer reads the long-livedVOID_TOKENsecret.deploy.ymlrenamed tovoid-deploy.yml(the platform only honors the OIDC exchange from that exact workflow path) withpermissions: id-token: write.staging.yml(PR deploys) keepsVOID_TOKEN: the platform rejects the OIDC exchange for pull_request events, since PR runs execute untrusted code.void deploy0.10.2 against the staging project through the existing token path.Do not merge yet: both projects must first be connected with
void github connect <project> --repo voidzero-dev/pkg-pr-registry-bridge --branch main --executor github_actions, otherwise every push-to-main deploy fails the OIDC exchange with a 401. Connecting is currently blocked on agithub_identity_conflict(the fengmk2 GitHub identity is linked to another Void account).