fullsend mint
Deploy and manage the OIDC token mint service. The mint is a GCP Cloud Function that exchanges GitHub Actions OIDC tokens for short-lived GitHub App installation tokens, enabling agents to authenticate without long-lived credentials.
Commands
| Command | Description |
|---|---|
fullsend mint deploy | Deploy or update the mint Cloud Function |
fullsend mint add-role <role> | Register a role PEM and app ID on the mint |
fullsend mint remove-role <role> | Remove a role from the mint |
fullsend mint enroll <org|owner/repo> | Register an org or repo in the mint |
fullsend mint unenroll <org|owner/repo> | Remove an org or repo from the mint |
fullsend mint status [org] | Inspect mint state and PEM health |
fullsend mint token | Mint a short-lived token via OIDC (for testing) |
mint deploy
Deploys or updates the token mint Cloud Function, creating the service account, WIF pool, and Secret Manager secrets as needed.
fullsend mint deploy \
--project "<GCP_PROJECT>" \
--region "us-central1"The CLI automatically detects when the deployed function source is up-to-date (same source hash) and skips code redeployment, only updating WIF infrastructure and org registration.
Flags
| Flag | Default | Description |
|---|---|---|
--project | GCP project ID | |
--region | us-central1 | Cloud region for the function |
--pem-dir | Directory containing role PEM files (first-time bootstrap) |
Required IAM roles
| Role | Description |
|---|---|
roles/iam.serviceAccountAdmin | Create fullsend-mint service account |
roles/iam.workloadIdentityPoolAdmin | Create WIF pool and provider |
roles/cloudfunctions.developer | Deploy the Cloud Function |
roles/run.admin | Set Cloud Run IAM policy |
roles/secretmanager.admin | Create secrets (only with --pem-dir) |
roles/resourcemanager.projectIamAdmin | Set project IAM policy (only with --pem-dir) |
Required GCP APIs
gcloud services enable \
iam.googleapis.com \
cloudresourcemanager.googleapis.com \
cloudfunctions.googleapis.com \
run.googleapis.com \
secretmanager.googleapis.com \
iamcredentials.googleapis.com \
--project="$GCP_PROJECT"mint add-role
Registers a GitHub App role on the mint by uploading its PEM key and recording the app ID.
fullsend mint add-role <role> \
--project "<GCP_PROJECT>" \
--region "us-central1" \
--pem "<path-to-pem>" \
--app-id "<github-app-id>"Pass --use-existing-pem-secret to reference a PEM secret that already exists in Secret Manager (only requires roles/secretmanager.viewer).
mint remove-role
Removes a role from the mint. Deletes the PEM secret by default.
fullsend mint remove-role <role> \
--project "<GCP_PROJECT>" \
--region "us-central1"Pass --keep-pem to preserve the PEM secret in Secret Manager.
mint enroll
Registers a GitHub organization or repository in the mint's allowed list, enabling it to request tokens.
fullsend mint enroll <org> \
--project "<GCP_PROJECT>" \
--region "us-central1"Per-repo mode:
fullsend mint enroll <owner/repo> \
--project "<GCP_PROJECT>" \
--region "us-central1"mint unenroll
Removes an organization or repository from the mint's allowed list.
fullsend mint unenroll <org|owner/repo> \
--project "<GCP_PROJECT>" \
--region "us-central1"mint status
Inspects the mint's current state: deployed function, registered roles, enrolled orgs, and PEM health.
fullsend mint status \
--project "<GCP_PROJECT>" \
--region "us-central1"Optionally filter to a specific org:
fullsend mint status <org> \
--project "<GCP_PROJECT>" \
--region "us-central1"Read-only — makes no changes.
mint token
Mints a short-lived GitHub App installation token via OIDC exchange. Primarily used for testing.
fullsend mint token \
--role <name> \
--repos <repo1,repo2> \
--mint-url <url>| Flag | Default | Description |
|---|---|---|
--role | Agent role (triage, coder, review, etc.) | |
--repos | Comma-separated repository names | |
--mint-url | $FULLSEND_MINT_URL | Mint service URL |
--audience | fullsend-mint | OIDC audience |
See also
- Mint service administration — deployment and management guide
- Infrastructure reference — architecture details
- Installation guide — all-in-one
admin install - CLI internals — command tree and implementation details
