Skip to main content

fullsend mint

Deploy and manage the OIDC token mint service. The mint is a GCP Cloud Function that exchanges GitHub Actions OIDC tokens for short-lived GitHub App installation tokens, enabling agents to authenticate without long-lived credentials.

Commands

CommandDescription
fullsend mint deployDeploy or update the mint Cloud Function
fullsend mint add-role <role>Register a role PEM and app ID on the mint
fullsend mint remove-role <role>Remove a role from the mint
fullsend mint enroll <org|owner/repo>Register an org or repo in the mint
fullsend mint unenroll <org|owner/repo>Remove an org or repo from the mint
fullsend mint status [org]Inspect mint state and PEM health
fullsend mint tokenMint a short-lived token via OIDC (for testing)

mint deploy

Deploys or updates the token mint Cloud Function, creating the service account, WIF pool, and Secret Manager secrets as needed.

fullsend mint deploy \
--project "<GCP_PROJECT>" \
--region "us-central1"

The CLI automatically detects when the deployed function source is up-to-date (same source hash) and skips code redeployment, only updating WIF infrastructure and org registration.

Flags

FlagDefaultDescription
--projectGCP project ID
--regionus-central1Cloud region for the function
--pem-dirDirectory containing role PEM files (first-time bootstrap)

Required IAM roles

RoleDescription
roles/iam.serviceAccountAdminCreate fullsend-mint service account
roles/iam.workloadIdentityPoolAdminCreate WIF pool and provider
roles/cloudfunctions.developerDeploy the Cloud Function
roles/run.adminSet Cloud Run IAM policy
roles/secretmanager.adminCreate secrets (only with --pem-dir)
roles/resourcemanager.projectIamAdminSet project IAM policy (only with --pem-dir)

Required GCP APIs

gcloud services enable \
iam.googleapis.com \
cloudresourcemanager.googleapis.com \
cloudfunctions.googleapis.com \
run.googleapis.com \
secretmanager.googleapis.com \
iamcredentials.googleapis.com \
--project="$GCP_PROJECT"

mint add-role

Registers a GitHub App role on the mint by uploading its PEM key and recording the app ID.

fullsend mint add-role <role> \
--project "<GCP_PROJECT>" \
--region "us-central1" \
--pem "<path-to-pem>" \
--app-id "<github-app-id>"

Pass --use-existing-pem-secret to reference a PEM secret that already exists in Secret Manager (only requires roles/secretmanager.viewer).

mint remove-role

Removes a role from the mint. Deletes the PEM secret by default.

fullsend mint remove-role <role> \
--project "<GCP_PROJECT>" \
--region "us-central1"

Pass --keep-pem to preserve the PEM secret in Secret Manager.

mint enroll

Registers a GitHub organization or repository in the mint's allowed list, enabling it to request tokens.

fullsend mint enroll <org> \
--project "<GCP_PROJECT>" \
--region "us-central1"

Per-repo mode:

fullsend mint enroll <owner/repo> \
--project "<GCP_PROJECT>" \
--region "us-central1"

mint unenroll

Removes an organization or repository from the mint's allowed list.

fullsend mint unenroll <org|owner/repo> \
--project "<GCP_PROJECT>" \
--region "us-central1"

mint status

Inspects the mint's current state: deployed function, registered roles, enrolled orgs, and PEM health.

fullsend mint status \
--project "<GCP_PROJECT>" \
--region "us-central1"

Optionally filter to a specific org:

fullsend mint status <org> \
--project "<GCP_PROJECT>" \
--region "us-central1"

Read-only — makes no changes.

mint token

Mints a short-lived GitHub App installation token via OIDC exchange. Primarily used for testing.

fullsend mint token \
--role <name> \
--repos <repo1,repo2> \
--mint-url <url>
FlagDefaultDescription
--roleAgent role (triage, coder, review, etc.)
--reposComma-separated repository names
--mint-url$FULLSEND_MINT_URLMint service URL
--audiencefullsend-mintOIDC audience

See also