Demos: keyless OIDC CI/CD for on-platform example apps#428
Open
MajorTal wants to merge 2 commits into
Open
Conversation
Adds demos/ — example run402 apps that auto-deploy to their own run402 projects on push to main via keyless GitHub OIDC (no run402 credential in CI; each push exchanges the OIDC token for a short-lived run402 CI session). demos/_deploy/ is the shared toolkit (registry, change-detection, the /content+/apply engine, the dispatcher, the OIDC exchange, a registry gate); .github/workflows/deploy-demos.yml is the change-detected matrix workflow (environment: demos). test-video + passkeys are provisioned + live (test-vid.run402.com, passkeys.run402.com), reusing system projects + bindings scoped to repo:kychee-com/run402:environment:demos. cosmicforge/evilme/social-todo are source-only pending onboarding (functions/DB/secrets); mpp-test is a local server, not deployable. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Both assigned a static, author-controlled data-* attribute into innerHTML. data-text (showScene): the innerHTML pre-seed was dead code — initTypewriters already rebuilds the .visible/.hidden spans via createElement + textContent; removed it. data-code (initCodeLines): values are entity-encoded text, not markup — decode the few entities used and assign via textContent. No behavioral change; no remaining DOM-text→HTML flow. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
MajorTal
added a commit
that referenced
this pull request
Jun 17, 2026
…ept keys
The gateway deleted POST /projects/v1/admin/:id/functions (live on main), so
r.functions.deploy() 404s in prod. Re-point it onto the unified apply engine
(a one-function functions.patch.set ReleaseSpec) — the same path the rest of
the SDK uses. Auth shifts from the service-key bearer to the standard apply
credential (SIWX wallet, or the v3.1.0 project.deploy operator-approval gate).
Public signature + FunctionDeployResult shape unchanged; runtime_version and
deps_resolved are null on the deploy result (apply returns release-level data —
they live on the functions-list record).
Wire `deps` end-to-end through the apply engine (capability
apply-v1-function-deps, verified on origin/main): public FunctionSpec.deps, the
validateSpec field allowlist, normalizeFunction, and functionToWire. Without all
four, functions.deploy({ deps }) would silently drop deps at the wire.
transfer-accept (#428): AcceptTransferResult gains anon_key/service_key, and
accept() persists them via saveProject + setActiveProject (mirroring provision)
so the new owner can operate the inherited project with no extra provisioning.
Tests: rewrote the SDK + MCP deploy tests onto the apply flow (plan+commit;
empty missing_content skips upload, terminal ready skips poll); added
transfer-accept persistence tests. Corrected the now-false docs (unified deploy
does accept deps; the deploy result no longer surfaces runtime_version /
deps_resolved). npm test green (0 fail), build clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
demos/— example run402 apps that auto-deploy to their own run402 projects on push tomain, via keyless GitHub OIDC: each push exchanges the GitHub Actions OIDC token for a short-lived, deploy-scoped run402 CI session (run402's own CI-binding / OIDC-federation feature), then deploys through/content/v1+/apply/v1. No run402 credential is stored in CI.This is also peak dogfood — the run402 demos deploy to run402 using exactly the keyless flow we tell customers to use.
Layout
.github/workflows/deploy-demos.ymlis the change-detected matrix workflow (environment: demosscopes the OIDC subject the run402 bindings pin). A change underdemos/<name>/**deploys that demo; a change underdemos/_deploy/**redeploys all. Only provisioned demos (a realproject_idinapp.json) are ever in the matrix — so this is a safe no-op for the source-only demos until they're onboarded.Status
test-videopasskeyscosmicforge/evilme/social-todompp-testThe two provisioned demos reuse system projects (non-billable/transferable/freezeable, deploy-tier-exempt) with CI bindings scoped to
repo:kychee-com/run402:environment:demos.Safety
demos/_deploy/check-registry.mjsfails the build if anyapp.jsoncarries a secret-bearing key. Verified no secret values are committed (theapp.jsonbinding_idis a revocable handle; the anon token is public by design).🤖 Generated with Claude Code