Skip to content

feat: per-callback OIDC permissions (id-token: write) #15

Description

@joshua-temple

Problem

Cloud deployments commonly use OIDC for short-lived credentials (GKE Workload Identity, AWS OIDC, Azure federated credentials). This requires permissions: id-token: write on the job or workflow. Generated workflows set permissions: contents: write, actions: write globally — neither includes id-token: write. Users can't use OIDC from generated deploy jobs without adding it manually (which breaks on regen).

Proposed config

ci:
  config:
    deploys:
      - name: infra
        workflow: .github/workflows/deploy-infra.yaml
        permissions:
          id-token: write
          contents: read

The generator would merge the per-callback permissions into the finalize job (where deploy jobs run) or emit a dedicated job with the required permissions.

Impact

High for cloud-native teams. OIDC is now the recommended auth pattern for AWS/GCP/Azure deploys.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions