Reusable GitHub workflow for deploying Vercel projects with secrets resolved from 1Password by the calling workflow.
The workflow uses a single caller-provided OP_SERVICE_ACCOUNT_TOKEN with
read-only access to exactly two vaults: webops-prod-shared and the project
vault named in vault (webops-prod-<project>). webops-prod-shared contains
VERCEL_TOKEN and VERCEL_ORG_ID; the project vault contains a
VERCEL_PROJECT_ID item and the app secrets listed in secrets. Each entry
in secrets is KEY=item/field, resolved as op://<vault>/item/field
(or pass a full op://... reference to point outside the project vault).
The workflow pins its actions, Vercel CLI, 1Password CLI, and bun versions. It uses
amondnet/vercel-action with vercel-build: true so the runner runs
vercel pull → vercel build → deploy --prebuilt, inlines project secrets via
build-env, creates GitHub Deployment records, and publishes preview URLs on
pull requests.
name: Deploy to Vercel
on:
push:
branches: [main]
permissions:
contents: read
deployments: write
pull-requests: write
jobs:
deploy:
uses: yearn/yearn-gha/.github/workflows/vercel-deploy.yml@main
with:
vault: webops-prod-my-app
environment: production
secrets: |
RPC_URL=my-app/RPC_URL
WEBHOOK_SECRET=my-app/WEBHOOK_SECRET
secrets:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}Store OP_SERVICE_ACCOUNT_TOKEN as a repository secret on the caller. The
token must have read-only access only to webops-prod-shared and the project
vault supplied in vault.
Caller workflows must grant pull-requests: write (in addition to
contents: read and deployments: write). Reusable workflows cannot elevate
beyond the caller's token permissions, and preview URL comments on pull
requests require write access to pull requests.
| Name | Required | Default | Description |
|---|---|---|---|
vault |
yes | — | Project vault named webops-prod-<project>; source of the project-specific OP secrets. |
secrets |
no | "" |
Multiline KEY=item/field entries resolved from the project vault (or a full op://... reference). |
environment |
no | preview |
Deploy target. Only preview and production are accepted. |
| Name | Required | Description |
|---|---|---|
OP_SERVICE_ACCOUNT_TOKEN |
yes | Caller-provided 1Password service account token scoped to webops-prod-shared and the project vault. |
| Name | Description |
|---|---|
deployment-url |
Preview or production URL returned by Vercel. |
Consume it from a downstream job with
${{ needs.deploy.outputs.deployment-url }}.
See examples/ for the current Katana APR, yvUSD APR, and fapy-hook shapes.