Skip to content

fullsend mint

Deploy and manage the OIDC token mint service. The mint is a GCP Cloud Function that exchanges GitHub Actions OIDC tokens for short-lived GitHub App installation tokens, enabling agents to authenticate without long-lived credentials.

Commands

CommandDescription
fullsend mint deployDeploy or update the mint Cloud Function
fullsend mint add-role <role>Register a role PEM and app ID on the mint
fullsend mint remove-role <role>Remove a role from the mint
fullsend mint enroll <org|owner/repo>Register an org or repo in the mint
fullsend mint unenroll <org|owner/repo>Remove an org or repo from the mint
fullsend mint status [org]Inspect mint state and PEM health
fullsend mint tokenMint a short-lived token via OIDC (for testing)

mint deploy

Deploys or updates the token mint Cloud Function, creating the service account, WIF pool, and Secret Manager secrets as needed.

bash
fullsend mint deploy \
  --project "<GCP_PROJECT>" \
  --region "us-central1"

The CLI automatically detects when the deployed function source is up-to-date (same source hash) and skips code redeployment, only updating WIF infrastructure and org registration.

Flags

FlagDefaultDescription
--projectGCP project ID
--regionus-central1Cloud region for the function
--pem-dirDirectory containing role PEM files (first-time bootstrap)

Required IAM roles

RoleDescription
roles/iam.serviceAccountAdminCreate fullsend-mint service account
roles/iam.workloadIdentityPoolAdminCreate WIF pool and provider
roles/cloudfunctions.developerDeploy the Cloud Function
roles/run.adminSet Cloud Run IAM policy
roles/secretmanager.adminCreate secrets (only with --pem-dir)
roles/resourcemanager.projectIamAdminSet project IAM policy (only with --pem-dir)

Required GCP APIs

bash
gcloud services enable \
  iam.googleapis.com \
  cloudresourcemanager.googleapis.com \
  cloudfunctions.googleapis.com \
  run.googleapis.com \
  secretmanager.googleapis.com \
  iamcredentials.googleapis.com \
  --project="$GCP_PROJECT"

mint add-role

Registers a GitHub App role on the mint by uploading its PEM key and recording the app ID.

bash
fullsend mint add-role <role> \
  --project "<GCP_PROJECT>" \
  --region "us-central1" \
  --pem "<path-to-pem>" \
  --app-id "<github-app-id>"

Pass --use-existing-pem-secret to reference a PEM secret that already exists in Secret Manager (only requires roles/secretmanager.viewer).

mint remove-role

Removes a role from the mint. Deletes the PEM secret by default.

bash
fullsend mint remove-role <role> \
  --project "<GCP_PROJECT>" \
  --region "us-central1"

Pass --keep-pem to preserve the PEM secret in Secret Manager.

mint enroll

Registers a GitHub organization or repository in the mint's allowed list, enabling it to request tokens.

bash
fullsend mint enroll <org> \
  --project "<GCP_PROJECT>" \
  --region "us-central1"

Per-repo mode:

bash
fullsend mint enroll <owner/repo> \
  --project "<GCP_PROJECT>" \
  --region "us-central1"

mint unenroll

Removes an organization or repository from the mint's allowed list.

bash
fullsend mint unenroll <org|owner/repo> \
  --project "<GCP_PROJECT>" \
  --region "us-central1"

mint status

Inspects the mint's current state: deployed function, registered roles, enrolled orgs, and PEM health.

bash
fullsend mint status \
  --project "<GCP_PROJECT>" \
  --region "us-central1"

Optionally filter to a specific org:

bash
fullsend mint status <org> \
  --project "<GCP_PROJECT>" \
  --region "us-central1"

Read-only — makes no changes.

mint token

Mints a short-lived GitHub App installation token via OIDC exchange. Primarily used for testing.

bash
fullsend mint token \
  --role <name> \
  --repos <repo1,repo2> \
  --mint-url <url>
FlagDefaultDescription
--roleAgent role (triage, coder, review, etc.)
--reposComma-separated repository names
--mint-url$FULLSEND_MINT_URLMint service URL
--audiencefullsend-mintOIDC audience

See also