feat: add OIDC workload identity federation to secret provider plugins

[theoephraim]

Summary

• Add shared OIDC token acquisition utility (packages/utils/src/oidc-tokens.ts) that auto-detects 5 deployment platforms (Vercel, GitHub Actions, GitLab CI, Fly.io, GCP Cloud Run)
• Add OIDC authentication as a fallback option in 6 secret provider plugins:
  • AWS: STS AssumeRoleWithWebIdentity via new oidcRoleArn param
  • Azure: Federated credential (JWT as client assertion) when tenantId+clientId provided without clientSecret
  • GCP: Workload Identity Federation via workloadIdentityProvider param
  • HashiCorp Vault: JWT auth method via jwtRole param
  • Infisical: OIDC machine identity via identityId param (alternative to Universal Auth)
  • Akeyless: OIDC access type via oidcAccessId param
• All plugins also accept explicit oidcToken param for custom OIDC providers

This enables deployed environments to authenticate with secret providers using short-lived OIDC tokens instead of long-lived credentials — no secrets needed to fetch secrets.

Test plan

• Verify typecheck passes across all packages (confirmed in pre-push hook)
• Verify lint passes (confirmed via bun run lint:fix)
• Manual test: deploy to Vercel with AWS OIDC role configured, verify secrets resolve
• Manual test: GitHub Actions workflow with id-token: write permission
• Unit tests for OIDC token acquisition utility (mock platform env vars)
• Unit tests for each plugin's OIDC auth path (mock token exchange endpoints)
• Documentation pass (shared OIDC guide + per-plugin README sections) — follow-up PR

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 346c87e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	varlock-website	fe1ff22	Commit Preview URL Branch Preview URL	May 06 2026, 05:55 AM

[github-actions]

The changes in this PR will be included in the next version bump.

Minor releases

• @varlock/akeyless-plugin 1.0.0 → 1.1.0
• @varlock/aws-secrets-plugin 1.0.0 → 1.1.0
• @varlock/azure-key-vault-plugin 1.0.0 → 1.1.0
• @varlock/google-secret-manager-plugin 1.0.0 → 1.1.0
• @varlock/hashicorp-vault-plugin 1.0.0 → 1.1.0
• @varlock/infisical-plugin 1.0.0 → 1.1.0

Bump files in this PR

• oidc-workload-identity.md (view diff) (edit)

Click here if you want to add another bump file to this PR

---

This comment is maintained by bumpy.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​aws-sdk/​client-sts@​3.1043.0

View full report

[pkg-pr-new]

Open in StackBlitz

@varlock/akeyless-plugin

npm i https://pkg.pr.new/@varlock/akeyless-plugin@636

@varlock/aws-secrets-plugin

npm i https://pkg.pr.new/@varlock/aws-secrets-plugin@636

@varlock/azure-key-vault-plugin

npm i https://pkg.pr.new/@varlock/azure-key-vault-plugin@636

@varlock/google-secret-manager-plugin

npm i https://pkg.pr.new/@varlock/google-secret-manager-plugin@636

@varlock/hashicorp-vault-plugin

npm i https://pkg.pr.new/@varlock/hashicorp-vault-plugin@636

@varlock/infisical-plugin

npm i https://pkg.pr.new/@varlock/infisical-plugin@636

commit: fe1ff22