From 6dc35140a5e1d078c77e00712c45275587b35139 Mon Sep 17 00:00:00 2001
From: Elio Bischof <elio@zitadel.com>
Date: Mon, 23 Jun 2025 21:10:18 +0200
Subject: [PATCH] login pipeline

---
 .github/workflows/build.yml           | 14 +++++-
 .github/workflows/login-container.yml | 46 +++++++++++++++++++
 .github/workflows/login-quality.yml   | 65 +++++++++++++++++++++++++++
 .github/workflows/release.yml         | 15 +++++++
 4 files changed, 139 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/login-container.yml
 create mode 100644 .github/workflows/login-quality.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f06c4a959c..3767b180e1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -76,6 +76,11 @@ jobs:
       core_cache_key: ${{ needs.core.outputs.cache_key }}
       core_cache_path: ${{ needs.core.outputs.cache_path }}
 
+  login-quality:
+    uses: ./.github/workflows/login-quality.yml
+    with:
+      force:  ${{ github.event_name == 'workflow_dispatch' }}
+
   container:
     needs: [compile]
     uses: ./.github/workflows/container.yml
@@ -86,6 +91,10 @@ jobs:
     with:
       build_image_name: "ghcr.io/zitadel/zitadel-build"
 
+  login-container:
+    uses: ./.github/workflows/login-container.yml
+    if: ${{ github.event_name == 'workflow_dispatch' }}
+
   e2e:
     uses: ./.github/workflows/e2e.yml
     needs: [compile]
@@ -98,7 +107,7 @@ jobs:
       issues: write
       pull-requests: write
     needs:
-      [version, core-unit-test, core-integration-test, lint, container, e2e]
+      [version, core-unit-test, core-integration-test, lint, container, e2e, login-container]
     if: ${{ github.event_name == 'workflow_dispatch' }}
     secrets:
       GCR_JSON_KEY_BASE64: ${{ secrets.GCR_JSON_KEY_BASE64 }}
@@ -109,3 +118,6 @@ jobs:
       semantic_version: "23.0.7"
       image_name: "ghcr.io/zitadel/zitadel"
       google_image_name: "europe-docker.pkg.dev/zitadel-common/zitadel-repo/zitadel"
+      build_image_name_login: ${{ needs.login-container.outputs.login_build_image }}
+      image_name_login: "ghcr.io/zitadel/login"
+      google_image_name_login: europe-docker.pkg.dev/zitadel-common/zitadel-repo/login
diff --git a/.github/workflows/login-container.yml b/.github/workflows/login-container.yml
new file mode 100644
index 0000000000..1c8eab7d55
--- /dev/null
+++ b/.github/workflows/login-container.yml
@@ -0,0 +1,46 @@
+name: Login Container
+
+on:
+  workflow_call:
+    outputs:
+      login_build_image:
+        description: 'The image name of the built production standalone login image'
+        value: ${{ jobs.login-container.outputs.login_build_image }}
+
+jobs:
+  login-container:
+    name: Build Login Container
+    runs-on: depot-ubuntu-22.04-8
+    permissions:
+      contents: read
+      id-token: write
+    outputs:
+      login_build_image: ${{ steps.get-login-tag.outputs.LOGIN_TAG }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/zitadel/login
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+      - uses: depot/setup-action@v1
+        with:
+          oidc: true
+      - name: Build Login Container
+        run: make login-standalone-build
+        env:
+          # latest if branch is main, otherwise image version which is the pull request number
+          BAKE_CLI: depot bake
+          DEPOT_PROJECT_ID: w47wkxzdtw
+          FORCE: ${{ github.event.inputs.force }}
+      - name: Get Login image tag
+        id: get-login-tag
+        run: echo "LOGIN_TAG=$(make login-standalone-build-tag)"  >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/login-quality.yml b/.github/workflows/login-quality.yml
new file mode 100644
index 0000000000..2d9427a0d2
--- /dev/null
+++ b/.github/workflows/login-quality.yml
@@ -0,0 +1,65 @@
+name: Login Quality
+
+on:
+  workflow_call:
+    inputs:
+      force:
+        description: 'Ignore run caches'
+        type: boolean
+        required: true
+    outputs:
+      login_build_image:
+        description: 'The image name of the built production standalone login image'
+        value: 'ghcr.io/zitadel/login:${{ github.sha }}'
+
+jobs:
+  quality:
+    name: Ensure Quality
+    runs-on: depot-ubuntu-22.04-8
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      id-token: write
+      actions: write
+    env:
+      CACHE_DIR: /tmp/login-run-caches
+    steps:
+      - uses: actions/checkout@v4
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/zitadel/login
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+      - uses: depot/setup-action@v1
+        with:
+          oidc: true
+      - name: Restore Run Caches
+        uses: actions/cache/restore@v4
+        id: run-caches-restore
+        with:
+          path: ${{ env.CACHE_DIR }}
+          key: ${{ runner.os }}-login-run-caches-${{github.ref_name}}-${{ github.sha }}-${{github.run_attempt}}
+          restore-keys: |
+            ${{ runner.os }}-login-run-caches-${{github.ref_name}}-${{ github.sha }}-
+            ${{ runner.os }}-login-run-caches-${{github.ref_name}}-
+            ${{ runner.os }}-login-run-caches-
+      - run: make login-quality
+        env:
+          # latest if branch is main, otherwise image version which is the pull request number
+          BAKE_CLI: depot bake
+          DEPOT_PROJECT_ID: w47wkxzdtw
+          FORCE: ${{ github.event.inputs.force }}
+      - name: Save Run Caches
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ env.CACHE_DIR }}
+          key: ${{ steps.run-caches-restore.outputs.cache-primary-key }}
+        if: always()
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3e40ae8805..910a361a8b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,6 +15,15 @@ on:
       google_image_name:
         required: true
         type: string
+      build_image_name_login:
+        required: true
+        type: string
+      image_name_login:
+        required: true
+        type: string
+      google_image_name_login:
+        required: true
+        type: string
     secrets:
       GCR_JSON_KEY_BASE64:
         description: 'base64 endcrypted key to connect to Google'
@@ -96,6 +105,9 @@ jobs:
         docker buildx imagetools create \
           --tag ${{ inputs.google_image_name }}:${{ needs.version.outputs.version }} \
           ${{ inputs.build_image_name }}
+        docker buildx imagetools create \
+          --tag ${{ inputs.google_image_name_login }}:${{ needs.version.outputs.version }} \
+          ${{ inputs.build_image_name_login }}
     -
       name: Publish latest
       if: ${{ github.ref_name == 'next' }}
@@ -106,6 +118,9 @@ jobs:
         docker buildx imagetools create \
           --tag ${{ inputs.image_name }}:latest-debug \
           ${{ inputs.build_image_name }}-debug
+        docker buildx imagetools create \
+          --tag ${{ inputs.image_name_login }}:latest \
+          ${{ inputs.build_image_name_login }}
 
   homebrew-tap:
     runs-on: ubuntu-22.04