Problem
Cloud deployments commonly use OIDC for short-lived credentials (GKE Workload Identity, AWS OIDC, Azure federated credentials). This requires permissions: id-token: write on the job or workflow. Generated workflows set permissions: contents: write, actions: write globally — neither includes id-token: write. Users can't use OIDC from generated deploy jobs without adding it manually (which breaks on regen).
Proposed config
ci:
config:
deploys:
- name: infra
workflow: .github/workflows/deploy-infra.yaml
permissions:
id-token: write
contents: read
The generator would merge the per-callback permissions into the finalize job (where deploy jobs run) or emit a dedicated job with the required permissions.
Impact
High for cloud-native teams. OIDC is now the recommended auth pattern for AWS/GCP/Azure deploys.
Problem
Cloud deployments commonly use OIDC for short-lived credentials (GKE Workload Identity, AWS OIDC, Azure federated credentials). This requires
permissions: id-token: writeon the job or workflow. Generated workflows setpermissions: contents: write, actions: writeglobally — neither includesid-token: write. Users can't use OIDC from generated deploy jobs without adding it manually (which breaks on regen).Proposed config
The generator would merge the per-callback permissions into the finalize job (where deploy jobs run) or emit a dedicated job with the required permissions.
Impact
High for cloud-native teams. OIDC is now the recommended auth pattern for AWS/GCP/Azure deploys.