Summary
Vercel launched Trusted Sources for Deployment Protection, letting protected deployments accept short-lived OIDC identity tokens from Vercel projects and external services instead of relying on a long-lived automation bypass secret. The system supports both same-team and external callers such as GitHub Actions.
What changed
Vercel added Trusted Sources, an OIDC-based control plane for authenticated access to protected deployments.
Why it matters
This is a concrete shift from static shared secrets toward federated workload identity in developer infrastructure. For teams automating deploy previews, internal APIs, or protected environments, that reduces secret sprawl and makes policy enforcement more granular and auditable.
Evidence excerpt
Vercel says Trusted Sources accepts short-lived OIDC tokens from Vercel projects and authorized external services so teams no longer need to share a long-lived automation bypass secret.