Conversation
- use env vars instead of file - use machine identity instead of client id & secret - add deploy environment to github
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 41c6f7d422
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| client-secret: ${{ inputs.infisical_client_secret }} | ||
| method: "oidc" | ||
| identity-id: ${{ inputs.infisical_machine_identity_id }} | ||
| project-slug: "infra-deployment-env" |
There was a problem hiding this comment.
The project slug changed from infra-deployment to infra-deployment-env. If this slug does not exist in Infisical (or the secrets inside use different key names than before), the action will either fail or export empty values. Downstream steps (google-github-actions/auth, terraform init, all make targets) depend on GCP_PROJECT_ID, GH_WORKLOAD_IDENTITY_PROVIDER, TERRAFORM_STATE_BUCKET, and GCP_REGION being set -- none of these produce obvious errors if missing until they silently fail mid-workflow. Please confirm the new slug is correct and all required keys are present.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Inconsistent Infisical action versions in same composite action
- Updated the first Infisical secrets action invocation from v1.0.9 to v1.0.15 to match the second invocation and keep behavior consistent.
Or push these changes by commenting:
@cursor push bef7de016e
Preview (bef7de016e)
diff --git a/.github/actions/deploy-setup/action.yml b/.github/actions/deploy-setup/action.yml
--- a/.github/actions/deploy-setup/action.yml
+++ b/.github/actions/deploy-setup/action.yml
@@ -16,7 +16,7 @@
using: "composite"
steps:
- name: Pull infisical secrets into temporary file
- uses: Infisical/secrets-action@v1.0.9
+ uses: Infisical/secrets-action@v1.0.15
with:
method: "oidc"
identity-id: ${{ inputs.infisical_machine_identity_id }}This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.
|
Waiting on some other PRs and tweaks before we can merge this |
2 participants
Note
Medium Risk
Updates deployment workflows’ secret-loading/authentication path (moving from client secret to OIDC machine identity and changing how env vars are injected), which can break deploys if identity/permissions or project slugs are misconfigured.
Overview
Updates the deploy setup action and related workflows to authenticate to Infisical via OIDC machine identity (dropping client ID/secret), load additional secrets directly into the job environment via a separate Infisical project, and associate each deploy job with the selected GitHub
environmentfor environment-scoped vars/secrets.Written by Cursor Bugbot for commit 780de28. This will update automatically on new commits. Configure here.