Improve infisical workflow

[djeebus]

This greatly simplifies the flow for adding secrets to our infra deploys.

• use env vars instead of file, which removes the need to struggle with multiline encoding, makefile include + env var + .env file, etc.
• use machine identity instead of client id & secret, which removes our need to protect and rotate secrets.
• add deploy environment to github, which increases visibility of what was deployed where and when.

Backwards compatible - all infisical secrets in the "infra-deployment" project are still processed in the current way, no changes. Any secrets added to the new "infra-deployment-env" project will be added as environment variables directly, with no processing between it and the processes reading them.

---

Note

Medium Risk
Updates deployment workflows’ secret-loading/authentication path (moving from client secret to OIDC machine identity and changing how env vars are injected), which can break deploys if identity/permissions or project slugs are misconfigured.

Overview
Updates the deploy setup action and related workflows to authenticate to Infisical via OIDC machine identity (dropping client ID/secret), load additional secrets directly into the job environment via a separate Infisical project, and associate each deploy job with the selected GitHub environment for environment-scoped vars/secrets.

^{Written by Cursor Bugbot for commit 780de28. This will update automatically on new commits. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 41c6f7d422

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Inconsistent Infisical action versions in same composite action
  • Updated the first Infisical secrets action invocation from v1.0.9 to v1.0.15 to match the second invocation and keep behavior consistent.

Or push these changes by commenting:

@cursor push bef7de016e

Preview (bef7de016e)

diff --git a/.github/actions/deploy-setup/action.yml b/.github/actions/deploy-setup/action.yml
--- a/.github/actions/deploy-setup/action.yml
+++ b/.github/actions/deploy-setup/action.yml
@@ -16,7 +16,7 @@
   using: "composite"
   steps:
     - name: Pull infisical secrets into temporary file
-      uses: Infisical/secrets-action@v1.0.9
+      uses: Infisical/secrets-action@v1.0.15
       with:
         method: "oidc"
         identity-id: ${{ inputs.infisical_machine_identity_id }}

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[djeebus]

Waiting on some other PRs and tweaks before we can merge this

[cursor]

PR Summary

Medium Risk
Updates deployment secret sourcing and job environments in GitHub Actions; misconfiguration could break deploys or change which secrets are injected at runtime. Security posture improves by removing long-lived Infisical client credentials, but rollout needs validation per environment.

Overview
Simplifies deploy workflows by switching Infisical secret access from client ID/secret to OIDC machine identity, continuing to generate the existing .env file for core infra settings while additionally injecting secrets from a new Infisical project directly as environment variables. Also attaches the selected environment to deploy-related GitHub Actions jobs to improve deployment visibility and environment-scoped controls.

^{Reviewed by Cursor Bugbot for commit b837ce6. Bugbot is set up for automated code reviews on this repo. Configure here.}