Deploy on push to main via GitHub OIDC instead of VOID_TOKEN#55
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Bump void to 0.10.5, whose `void deploy` auto-exchanges a GitHub OIDC token for a short-lived project-scoped deploy token when the workflow grants id-token: write, so the push-to-main deploys no longer need the long-lived VOID_TOKEN secret. The Void platform only honors the exchange from a workflow file named exactly .github/workflows/void-deploy.yml (the default; configurable per connection since platform #212), so deploy.yml is renamed. The PR staging deploy (staging.yml) keeps VOID_TOKEN: the platform rejects the OIDC exchange for pull_request events since they run untrusted code. Do not merge before both projects are connected with `void github connect <project> --repo voidzero-dev/pkg-pr-registry-bridge --branch main --executor github_actions`, otherwise push-to-main deploys fail the exchange with a 401.
bc9d194 to
7716a57
Compare
Bumps void to 0.10.5 and switches the push-to-main deploy workflow to the new GitHub OIDC flow:
void deployexchanges a short-lived OIDC token for a project-scoped deploy token, so the workflow no longer reads the long-livedVOID_TOKENsecret.deploy.ymlrenamed tovoid-deploy.yml(the connection's authorized deploy workflow path) withpermissions: id-token: write.staging.yml(PR deploys) keepsVOID_TOKEN: the platform rejects the OIDC exchange for pull_request events, since PR runs execute untrusted code.Both projects are connected via the org-shared installation (
void github join+void github connect, executorgithub_actions, branchmain, workflowvoid-deploy.yml), so this is safe to merge; the first push to main will do the OIDC-authenticated staging -> smoke -> prod -> smoke run.