feat: switch deploy workflows to GitHub OIDC (zero secrets)

[chitcommit]

Summary

• Switch both deploy workflows from API key to GitHub OIDC — zero secrets needed
• deploy-worker.yml: Adds id-token: write permission, removes secrets.CHITTYCONNECT_API_KEY
• deploy-pages.yml: Adds id-token: write to get-credentials job, removes api_key input

Dependency

Requires chittyops PR #30 to be merged first (getchitty-creds OIDC migration).

How it works

1. GitHub Actions requests an OIDC token with audience https://connect.chitty.cc
2. getchitty-creds sends the token to ChittyConnect's /api/github-actions/credentials
3. ChittyConnect validates the JWT, checks CHITTYOS is in allowedOrgs, returns credentials
4. No stored secrets needed — GitHub's identity is the credential

Test plan

• Merge chittyops PR fix: compliance remediation — schema drift, doc accuracy, type safety #30 first
• Trigger Deploy Worker via workflow_dispatch
• Verify OIDC auth succeeds and worker deploys
• Verify command.mychitty.com resolves after deploy

🤖 Generated with Claude Code

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

Warning

Rate limit exceeded

@chitcommit has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 33 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8f7f5163-9c7b-4024-b5cd-b0ae47cca9c4

📥 Commits

Reviewing files that changed from the base of the PR and between 6dc4640 and 25f81c8.

📒 Files selected for processing (3)

• .github/workflows/deploy-pages.yml
• .github/workflows/deploy-worker.yml
• wrangler.toml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/oidc-deploy-workflows

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

1. @coderabbitai review
2. @copilot review
3. @codex review
4. @claude review
   Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.