Skip to content

chore: update void to 0.10.8 and switch main deploy to OIDC#39

Merged
fengmk2 merged 1 commit into
mainfrom
chore/void-oidc-deploy
Jul 8, 2026
Merged

chore: update void to 0.10.8 and switch main deploy to OIDC#39
fengmk2 merged 1 commit into
mainfrom
chore/void-oidc-deploy

Conversation

@fengmk2

@fengmk2 fengmk2 commented Jul 8, 2026

Copy link
Copy Markdown
Member

What

  • Bump void 0.9.3 to 0.10.8 (catalog + lockfile).
  • Switch the production deploy (push to main) from a stored VOID_TOKEN secret to GitHub OIDC.

Details

Connected voidzero-dev/setup.viteplus.dev (main) to Void project vp-setup with the github_actions build executor via void github connect. The authorized deploy workflow is .github/workflows/void-deploy.yml.

The new workflow uses permissions: id-token: write, so void deploy mints a short-lived GitHub OIDC token and exchanges it for a project-scoped deploy token at deploy time. There is no long-lived VOID_TOKEN to store or rotate. It follows this repo's toolchain (taiki-e/checkout-action + voidzero-dev/setup-vp + vpx void deploy).

The old token-based deploy.yml is removed so main does not double-deploy.

Notes

  • ci.yml's separate staging deploy (vp-setup-staging, on PRs) still uses VOID_TOKEN and is left unchanged.
  • vp check and vp build pass on the new version.

- Bump void 0.9.3 to 0.10.8
- Connect repo to Void project vp-setup via the github_actions executor (OIDC)
- Add .github/workflows/void-deploy.yml using GitHub OIDC, no VOID_TOKEN secret
- Remove the old token-based deploy.yml so main does not double-deploy
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedvoid@​0.10.8631009897100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm better-sqlite3 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/void@0.10.8npm/better-sqlite3@12.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/better-sqlite3@12.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

✅ Staging deployment successful!

Preview: https://vp-setup-staging.void.app/
Commit: 0ee7dd4

@fengmk2 fengmk2 merged commit e0071d2 into main Jul 8, 2026
5 of 6 checks passed
@fengmk2 fengmk2 deleted the chore/void-oidc-deploy branch July 8, 2026 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant