Deploying a site to Vercel from GitHub Actions currently requires the use of an account token. Having to create and keep track of these tokens has long been an annoying, but necessary, ordeal.
Today, however, GitHub allows Actions workflows to exchange short-lived tokens directly with third-party services via OpenID Connect (OIDC). This enables workflows to perform authenticated actions against third-party services without needing to store secrets from those services in GitHub. I kindly ask that you consider supporting this functionality on the Vercel platform and in the Vercel CLI.
PyPI uses this functionality to enable what it calls “trusted publishing”. Vercel could work in a similar fashion: users provide the name of the repository and workflow authorized to create deployments, and the Vercel CLI would automatically exchange the workflow job’s OIDC token for a short-lived Vercel token as needed.
TL;DR: It would be really awesome if I didn’t need a Vercel token every time I wanted to deploy from GitHub Actions and GitHub now has the technology to make that possible. Please consider implementing it. 