Skip to content

Operations ​

Day-2 administration for fullsend per-repo installations: configuration updates, workflow syncing, uninstall, and standalone commands for split-responsibility workflows. For per-org operations (enrollment, org-level status, org uninstall), see Per-Org Mode.

Prerequisites ​

  • fullsend CLI installed (see Getting Started)
  • GitHub access β€” repository admin for the target repository
  • gh CLI authenticated with the required OAuth scopes (see OAuth scope reference)

Updating configuration values ​

Update individual secrets or variables without re-running full setup:

bash
fullsend github set "$OWNER/$REPO" FULLSEND_GCP_PROJECT_ID new-gcp-project
fullsend github set "$OWNER/$REPO" FULLSEND_GCP_REGION global
KeyStorage TypeDescriptionExample value
FULLSEND_GCP_REGIONRepo variableGCP region for Agent Platform inferenceglobal
FULLSEND_PER_REPO_INSTALLRepo variableSet to true for per-repo installations (auto-set by installer)true
FULLSEND_GCP_PROJECT_IDRepo secretGCP project ID where Agent Platform is enabledmy-gcp-project
FULLSEND_GCP_WIF_PROVIDERRepo secretFull WIF provider resource name for OIDC authenticationprojects/123456789/locations/global/...

Syncing workflow templates ​

After upgrading the fullsend CLI, re-run github setup to update the workflow file:

bash
fullsend github setup "$OWNER/$REPO" \
  --inference-project "<GCP_PROJECT>" \
  --inference-wif-provider "<WIF_PROVIDER>"

This is idempotent β€” it updates the workflow file in place without changing other configuration.

Uninstalling ​

Per-repo teardown ​

To remove fullsend from a single repository:

  1. Delete .github/workflows/fullsend.yaml and repo-level secrets/variables
  2. Run fullsend inference deprovision "$OWNER/$REPO" to remove WIF access
  3. Contact the fullsend team to unenroll the repo from the hosted mint

If you manage your own self-hosted mint, run fullsend mint unenroll "$OWNER/$REPO" instead of step 3. See the standalone commands table for details.

Standalone commands ​

For organizations that separate GCP and GitHub responsibilities across teams, fullsend provides standalone commands that let each team run only the steps they own:

RoleCommandWhat it does
GCP Admin (Inference)fullsend inference provision <org|owner/repo>Create WIF pool/provider and grant Agent Platform access (idempotent β€” safe to re-run for new orgs)
GCP Admin (Inference)fullsend inference deprovision <org|owner/repo>Remove org or repo from WIF
GCP Admin (Inference)fullsend inference status <org|owner/repo>Check WIF health, print config values
GitHub Maintainerfullsend github setup <org|owner/repo>Configure GitHub org or repo (no GCP needed)
GitHub Maintainerfullsend github enroll <org> [repo...]Add repositories to agent enrollment
GitHub Maintainerfullsend github unenroll <org> [repo...]Remove repositories from agent enrollment
GitHub Maintainerfullsend github set <org|owner/repo> <key> <value>Update a single config value (secret or variable)
GitHub Maintainerfullsend github status <org>Analyze GitHub-side installation state
GitHub Maintainerfullsend github sync-scaffold <org>Update workflow templates to current CLI version
GitHub Maintainerfullsend github uninstall <org>Remove GitHub configuration (org-level only)
GCP Admin (Mint)fullsend mint deployDeploy the token mint Cloud Function
GCP Admin (Mint)fullsend mint add-role <role>Register a role PEM and app ID on the mint
GCP Admin (Mint)fullsend mint remove-role <role>Remove a role from the mint (deletes PEM secret by default)
GCP Admin (Mint)fullsend mint enroll <org|owner/repo>Register an org or repo in the mint (does not grant Agent Platform access β€” use inference provision)
GCP Admin (Mint)fullsend mint unenroll <org|owner/repo>Remove an org or repo from the mint
GCP Admin (Mint)fullsend mint statusInspect mint state and PEM health

| Developer | fullsend agent add <url-or-path> | Register an agent in config (URL auto-pinned to commit SHA) | | Developer | fullsend agent list | List registered agents and their sources | | Developer | fullsend agent update <name> [sha] | Re-pin a URL agent to a new commit SHA | | Developer | fullsend agent remove <name> | Unregister an agent from config | | Developer | fullsend agent migrate-customizations | Migrate customized/ overlays to config-driven agents via PR |

The typical handoff: a GCP admin runs mint deploy + mint enroll + inference provision, then passes the mint URL and WIF provider resource name to a GitHub maintainer who runs github setup --mint-url=... --inference-wif-provider=....

Per-command IAM role breakdown ​

When using the split-responsibility workflow, each standalone command requires a subset of IAM roles. Use this table to request only what you need.

IAM Roleinference provisioninference deprovisioninference statusmint deploymint add-rolemint remove-rolemint enrollmint unenrollmint status
roles/iam.workloadIdentityPoolAdminxxxxx
roles/resourcemanager.projectIamAdminx***
roles/iam.serviceAccountAdminx
roles/secretmanager.admin********
roles/cloudfunctions.developerx
roles/cloudfunctions.viewerxxxxx
roles/run.adminxxxxx
roles/iam.workloadIdentityPoolViewerx†
roles/secretmanager.viewerΒ§x

* roles/resourcemanager.projectIamAdmin and roles/secretmanager.admin are required for mint deploy only when using --pem-dir (first-time bootstrap). Standard deploys without --pem-dir do not need these roles.

** roles/resourcemanager.projectIamAdmin is required for mint enroll only in per-repo mode (mint enroll owner/repo). Org-scoped enrollment does not grant IAM bindings β€” use inference provision separately.

*** roles/secretmanager.admin is required for mint add-role when uploading a new PEM (--pem or browser mode). When using --use-existing-pem-secret, only roles/secretmanager.viewer is required (see Β§).

**** roles/secretmanager.admin is required for mint remove-role unless --keep-pem is passed (default deletes the PEM secret).

Β§ roles/secretmanager.viewer is required for mint add-role when using --use-existing-pem-secret (checks that the PEM secret exists).

† All commands that call GCP APIs also require resourcemanager.projects.get (typically available via roles/browser or any project-level viewer role). This is only notable for inference status where it is not covered by the other listed roles.

Required GCP APIs also differ by command group:

bash
# Inference commands (inference provision/deprovision/status):
gcloud services enable \
  iam.googleapis.com \
  cloudresourcemanager.googleapis.com \
  aiplatform.googleapis.com \
  --project="$GCP_PROJECT"

# Mint commands (mint deploy/enroll/unenroll/status):
gcloud services enable \
  iam.googleapis.com \
  cloudresourcemanager.googleapis.com \
  cloudfunctions.googleapis.com \
  run.googleapis.com \
  secretmanager.googleapis.com \
  iamcredentials.googleapis.com \
  --project="$GCP_PROJECT"

Note: iamcredentials.googleapis.com is a runtime dependency β€” the deployed mint Cloud Function uses it for WIF token exchange, not the CLI itself. It must be enabled before mint deploy.

Status notifications ​

Agent workflows post status comments on issues and PRs when they start and complete. This behavior is controlled by the status_notifications section in config.yaml:

yaml
defaults:
  status_notifications:
    comment:
      start: enabled      # "enabled" (default) | "disabled"
      completion: enabled  # "enabled" (default) | "disabled"

When status_notifications is omitted, comments default to enabled.

The composite action accepts four optional inputs for status notifications:

InputDescription
run-urlURL of the CI/CD run shown in the status comment
status-repoRepository (owner/repo) to post status comments on
status-numberIssue or PR number for status comments
mint-urlURL of the token mint service used to obtain fresh tokens for posting comments

All reusable workflows pass these inputs automatically.

See Also ​