chore: reproducible pipeline with dev containers (#10305)

# Which Problems Are Solved

- The previous monorepo in monorepo structure for the login app and its
related packages was fragmented, complicated and buggy.
- The process for building and testing the login container was
inconsistent between local development and CI.
- Lack of clear documentation as well as easy and reliable ways for
non-frontend developers to reproduce and fix failing PR checks locally.

# How the Problems Are Solved

- Consolidated the login app and its related npm packages by moving the
main package to `apps/login/apps/login` and merging
`apps/login/packages/integration` and `apps/login/packages/acceptance`
into the main `apps/login` package.
- Migrated from Docker Compose-based test setups to dev container-based
setups, adding support for multiple dev container configurations:
  - `.devcontainer/base`
  - `.devcontainer/turbo-lint-unit`
  - `.devcontainer/turbo-lint-unit-debug`
  - `.devcontainer/login-integration`
  - `.devcontainer/login-integration-debug`
- Added npm scripts to run the new dev container setups, enabling exact
reproduction of GitHub PR checks locally, and updated the pipeline to
use these containers.
- Cleaned up Dockerfiles and docker-bake.hcl files to only build the
production image for the login app.
- Cleaned up compose files to focus on dev environments in dev
containers.
- Updated `CONTRIBUTING.md` with guidance on running and debugging PR
checks locally using the new dev container approach.
- Introduced separate Dockerfiles for the login app to distinguish
between using published client packages and building clients from local
protos.
- Ensured the login container is always built in the pipeline for use in
integration and acceptance tests.
- Updated Makefile and GitHub Actions workflows to use
`--frozen-lockfile` for installing pnpm packages, ensuring reproducible
installs.
- Disabled GitHub release creation by the changeset action.
- Refactored the `/build` directory structure for clarity and
maintainability.
- Added a `clean` command to `docks/package.json`.
- Experimentally added `knip` to the `zitadel-client` package for
improved linting of dependencies and exports.

# Additional Changes

- Fixed Makefile commands for consistency and reliability.
- Improved the structure and clarity of the `/build` directory to
support seamless integration of the login build.
- Enhanced documentation and developer experience for running and
debugging CI checks locally.

# Additional Context

- See updated `CONTRIBUTING.md` for new local development and debugging
instructions.
- These changes are a prerequisite for further improvements to the CI
pipeline and local development workflow.
- Closes #10276

.devcontainer/base/Dockerfile

@@ -0,0 +1,16 @@
+FROM mcr.microsoft.com/devcontainers/typescript-node:20-bookworm
+
+ENV SHELL=/bin/bash \
+    DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    LC_ALL=C.UTF-8 \
+    CI=1 \
+    PNPM_HOME=/home/node/.local/share/pnpm \
+    PATH=/home/node/.local/share/pnpm:$PATH
+
+
+RUN apt-get update && \
+    apt-get --no-install-recommends install -y \
+    libgtk2.0-0 libgtk-3-0 libgbm-dev libnotify-dev libnss3 libxss1 libasound2 libxtst6 xauth xvfb && \
+    apt-get clean && \
+    corepack enable && COREPACK_ENABLE_DOWNLOAD_PROMPT=0 corepack prepare pnpm@9.1.2 --activate

.devcontainer/base/devcontainer.json

@@ -0,0 +1,28 @@
+{
+	"$schema": "https://raw.githubusercontent.com/devcontainers/spec/refs/heads/main/schemas/devContainer.schema.json",
+	"name": "devcontainer",
+	"dockerComposeFile": "docker-compose.yml",
+	"service": "devcontainer",
+	"workspaceFolder": "/workspaces",
+	"features": {
+		"ghcr.io/devcontainers/features/go:1": {
+			"version": "1.24"
+		},
+		"ghcr.io/guiyomh/features/golangci-lint:0": {},
+		"ghcr.io/jungaretti/features/make:1": {}
+	},
+	"forwardPorts": [
+		3000,
+		3001,
+		4200,
+		8080
+	],
+	"onCreateCommand": "pnpm install -g sass@1.64.1",
+	"customizations": {
+		"jetbrains": {
+			"settings": {
+				"com.intellij:app:HttpConfigurable.use_proxy_pac": true
+			}
+		}
+	}
+}

.devcontainer/base/docker-compose.yml

@@ -0,0 +1,225 @@
+services:
+
+  devcontainer:
+    container_name: devcontainer
+    build:
+      context: .
+    volumes:
+      - ../../:/workspaces:cached
+      - /tmp/.X11-unix:/tmp/.X11-unix:cached
+      - home-dir:/home/node:delegated
+    command: sleep infinity
+    working_dir: /workspaces
+    environment:
+      ZITADEL_DATABASE_POSTGRES_HOST: db
+      ZITADEL_EXTERNALSECURE: false
+
+  db:
+    container_name: db
+    image: postgres:17.0-alpine3.19
+    restart: unless-stopped
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    environment:
+      PGUSER: postgres
+      POSTGRES_PASSWORD: postgres
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready" ]
+      interval: "10s"
+      timeout: "30s"
+      retries: 5
+      start_period: "20s"
+    ports:
+      - "5432:5432"
+
+  mock-zitadel:
+    container_name: mock-zitadel
+    build:
+      context: ../../apps/login/integration/core-mock
+    ports:
+      - 22220:22220
+      - 22222:22222
+
+  login-integration:
+    container_name: login-integration
+    build:
+      context: ../..
+      dockerfile: build/login/Dockerfile
+    image: "${LOGIN_TAG:-zitadel-login:local}"
+    env_file: ../../apps/login/.env.test
+    network_mode: service:devcontainer
+    environment:
+      NODE_ENV: test
+      PORT: 3001
+    depends_on:
+      mock-zitadel:
+        condition: service_started
+
+  zitadel:
+    image: "${ZITADEL_TAG:-ghcr.io/zitadel/zitadel:v4.0.0-rc.2}"
+    container_name: zitadel
+    command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --config /zitadel.yaml --steps /zitadel.yaml'
+    volumes:
+      - ../../apps/login/acceptance/pat:/pat:delegated
+      - ../../apps/login/acceptance/zitadel.yaml:/zitadel.yaml:cached
+    network_mode: service:devcontainer
+    healthcheck:
+      test:
+        - CMD
+        - /app/zitadel
+        - ready
+        - --config
+        - /zitadel.yaml
+    depends_on:
+      db:
+        condition: "service_healthy"
+
+  configure-login:
+    container_name: configure-login
+    restart: no
+    build:
+      context: ../../apps/login/acceptance/setup
+      dockerfile: ../go-command.Dockerfile
+    entrypoint: "./setup.sh"
+    network_mode: service:devcontainer
+    environment:
+      PAT_FILE: /pat/zitadel-admin-sa.pat
+      ZITADEL_API_URL: http://localhost:8080
+      WRITE_ENVIRONMENT_FILE: /login-env/.env.test.local
+      SINK_EMAIL_INTERNAL_URL: http://sink:3333/email
+      SINK_SMS_INTERNAL_URL: http://sink:3333/sms
+      SINK_NOTIFICATION_URL: http://sink:3333/notification
+      LOGIN_BASE_URL: http://localhost:3000/ui/v2/login/
+      ZITADEL_API_DOMAIN: localhost
+      ZITADEL_ADMIN_USER: zitadel-admin@zitadel.localhost
+    volumes:
+      - ../../apps/login/acceptance/pat:/pat:cached # Read the PAT file from zitadels setup
+      - ../../apps/login:/login-env:delegated # Write the environment variables file for the login
+    depends_on:
+      zitadel:
+        condition: "service_healthy"
+
+  login-acceptance:
+    container_name: login
+    image: "${LOGIN_TAG:-ghcr.io/zitadel/zitadel-login:v4.0.0-rc.2}"
+    network_mode: service:devcontainer
+    volumes:
+      - ../../apps/login/.env.test.local:/env-files/.env:cached
+    depends_on:
+      configure-login:
+        condition: service_completed_successfully
+
+  mock-notifications:
+    container_name: mock-notifications
+    build:
+      context: ../../apps/login/acceptance/sink
+      dockerfile: ../go-command.Dockerfile
+      args:
+        - LOGIN_TEST_ACCEPTANCE_GOLANG_TAG=${LOGIN_TEST_ACCEPTANCE_GOLANG_TAG:-golang:1.24-alpine}
+    environment:
+      PORT: '3333'
+    command:
+      - -port
+      - '3333'
+      - -email
+      - '/email'
+      - -sms
+      - '/sms'
+      - -notification
+      - '/notification'
+    ports:
+      - "3333:3333"
+    depends_on:
+      configure-login:
+        condition: "service_completed_successfully"
+
+  mock-oidcrp:
+    container_name: mock-oidcrp
+    build:
+      context: ../../apps/login/acceptance/oidcrp
+      dockerfile: ../go-command.Dockerfile
+      args:
+        - LOGIN_TEST_ACCEPTANCE_GOLANG_TAG=${LOGIN_TEST_ACCEPTANCE_GOLANG_TAG:-golang:1.24-alpine}
+    network_mode: service:devcontainer
+    environment:
+      API_URL: 'http://localhost:8080'
+      API_DOMAIN: 'localhost'
+      PAT_FILE: '/pat/zitadel-admin-sa.pat'
+      LOGIN_URL: 'http://localhost:3000/ui/v2/login'
+      ISSUER: 'http://localhost:8000'
+      HOST: 'localhost'
+      PORT: '8000'
+      SCOPES: 'openid profile email'
+    volumes:
+      - ../../apps/login/acceptance/pat:/pat:cached
+    depends_on:
+      configure-login:
+        condition: "service_completed_successfully"
+
+  #  mock-oidcop:
+  #    container_name: mock-oidcop
+  #    build:
+  #      context: ../../apps/login/acceptance/idp/oidc
+  #      dockerfile: ../../go-command.Dockerfile
+  #      args:
+  #        - LOGIN_TEST_ACCEPTANCE_GOLANG_TAG=${LOGIN_TEST_ACCEPTANCE_GOLANG_TAG:-golang:1.24-alpine}
+  #    network_mode: service:devcontainer
+  #    environment:
+  #      API_URL: 'http://localhost:8080'
+  #      API_DOMAIN: 'localhost'
+  #      PAT_FILE: '/pat/zitadel-admin-sa.pat'
+  #      SCHEMA: 'http'
+  #      HOST: 'localhost'
+  #      PORT: "8004"
+  #    volumes:
+  #      - "../apps/login/packages/acceptance/pat:/pat:cached"
+  #    depends_on:
+  #      configure-login:
+  #        condition: "service_completed_successfully"
+
+  mock-samlsp:
+    container_name: mock-samlsp
+    build:
+      context: ../../apps/login/acceptance/samlsp
+      dockerfile: ../go-command.Dockerfile
+      args:
+        - LOGIN_TEST_ACCEPTANCE_GOLANG_TAG=${LOGIN_TEST_ACCEPTANCE_GOLANG_TAG:-golang:1.24-alpine}
+    network_mode: service:devcontainer
+    environment:
+      API_URL: 'http://localhost:8080'
+      API_DOMAIN: 'localhost'
+      PAT_FILE: '/pat/zitadel-admin-sa.pat'
+      LOGIN_URL: 'http://localhost:3000/ui/v2/login'
+      IDP_URL: 'http://localhost:8080/saml/v2/metadata'
+      HOST: 'http://localhost:8001'
+      PORT: '8001'
+    volumes:
+      - "../apps/login/packages/acceptance/pat:/pat:cached"
+    depends_on:
+      configure-login:
+        condition: "service_completed_successfully"
+
+#  mock-samlidp:
+#    container_name: mock-samlidp
+#    build:
+#      context: ../../apps/login/acceptance/idp/saml
+#      dockerfile: ../../go-command.Dockerfile
+#      args:
+#        - LOGIN_TEST_ACCEPTANCE_GOLANG_TAG=${LOGIN_TEST_ACCEPTANCE_GOLANG_TAG:-golang:1.24-alpine}
+#    network_mode: service:devcontainer
+#    environment:
+#      API_URL: 'http://localhost:8080'
+#      API_DOMAIN: 'localhost'
+#      PAT_FILE: '/pat/zitadel-admin-sa.pat'
+#      SCHEMA: 'http'
+#      HOST: 'localhost'
+#      PORT: "8003"
+#    volumes:
+#      - "../apps/login/packages/acceptance/pat:/pat"
+#    depends_on:
+#      configure-login:
+#        condition: "service_completed_successfully"
+
+volumes:
+  postgres-data:
+  home-dir:

.devcontainer/devcontainer.json

@@ -1,22 +0,0 @@
-{
-	"name": "zitadel",
-	"dockerComposeFile": "docker-compose.yml",
-	"service": "devcontainer",
-	"workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
-	"features": {
-		"ghcr.io/devcontainers/features/go:1": {
-			"version": "1.22"
-		},
-		"ghcr.io/devcontainers/features/node:1": {},
-		"ghcr.io/guiyomh/features/golangci-lint:0": {},
-		"ghcr.io/devcontainers/features/docker-outside-of-docker:1": {},
-		"ghcr.io/devcontainers/features/github-cli:1": {},
-		"ghcr.io/jungaretti/features/make:1": {}
-	},
-	"forwardPorts": [
-		3000,
-		4200,
-		8080
-	],
-	"onCreateCommand": "npm install -g sass@1.64.1"
-}

.devcontainer/docker-compose.yml

@@ -1,31 +0,0 @@
-version: '3.8'
-services:
-  devcontainer:
-    image: mcr.microsoft.com/devcontainers/base:ubuntu
-    volumes:
-      - ../..:/workspaces:cached
-      - /var/run/docker.sock:/var/run/docker.sock
-    network_mode: service:db
-    command: sleep infinity
-    environment:
-      ZITADEL_DATABASE_POSTGRES_HOST: db
-      ZITADEL_DATABASE_POSTGRES_PORT: 5432
-      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
-      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel
-      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel
-      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
-      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
-      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
-      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
-      ZITADEL_EXTERNALSECURE: false
-  db:
-    image: postgres:latest
-    restart: unless-stopped
-    volumes:
-      - postgres-data:/var/lib/postgresql/data
-    environment:
-      PGUSER: postgres
-      POSTGRES_PASSWORD: postgres
-
-volumes:
-  postgres-data:

.devcontainer/login-integration-debug/devcontainer.json

@@ -0,0 +1,21 @@
+{
+	"$schema": "https://raw.githubusercontent.com/devcontainers/spec/refs/heads/main/schemas/devContainer.schema.json",
+	"name": "login-integration-debug",
+	"dockerComposeFile": [
+		"../base/docker-compose.yml",
+		"docker-compose.yml"
+	],
+	"service": "login-integration-debug",
+	"runServices": ["login-integration-debug"],
+	"workspaceFolder": "/workspaces",
+	"forwardPorts": [3001],
+	"onCreateCommand": "pnpm install --recursive",
+	"postAttachCommand": "pnpm turbo daemon clean; pnpm turbo @zitadel/login#dev test:integration:login:debug",
+	"customizations": {
+		"jetbrains": {
+			"settings": {
+				"com.intellij:app:HttpConfigurable.use_proxy_pac": true
+			}
+		}
+	}
+}

.devcontainer/login-integration-debug/docker-compose.yml

@@ -0,0 +1,9 @@
+services:
+  login-integration-debug:
+    extends:
+      file: ../base/docker-compose.yml
+      service: devcontainer
+    container_name: login-integration-debug
+    depends_on:
+      mock-zitadel:
+        condition: service_started

.devcontainer/login-integration/devcontainer.json

@@ -0,0 +1,19 @@
+{
+	"$schema": "https://raw.githubusercontent.com/devcontainers/spec/refs/heads/main/schemas/devContainer.schema.json",
+	"name": "login-integration",
+	"dockerComposeFile": [
+		"../base/docker-compose.yml"
+	],
+	"service": "devcontainer",
+	"runServices": ["login-integration"],
+	"workspaceFolder": "/workspaces",
+	"forwardPorts": [3001],
+	"onCreateCommand": "pnpm install --frozen-lockfile --recursive && cd apps/login/packages/integration && pnpm cypress install && pnpm test:integration:login",
+	"customizations": {
+		"jetbrains": {
+			"settings": {
+				"com.intellij:app:HttpConfigurable.use_proxy_pac": true
+			}
+		}
+	}
+}

.devcontainer/turbo-lint-unit-debug/devcontainer.json

@@ -0,0 +1,21 @@
+{
+	"$schema": "https://raw.githubusercontent.com/devcontainers/spec/refs/heads/main/schemas/devContainer.schema.json",
+	"name": "turbo-lint-unit-debug",
+	"dockerComposeFile": [
+		"../base/docker-compose.yml",
+		"docker-compose.yml"
+	],
+	"service": "turbo-lint-unit-debug",
+	"runServices": ["turbo-lint-unit-debug"],
+	"workspaceFolder": "/workspaces",
+	"forwardPorts": [3001],
+	"onCreateCommand": "pnpm install --recursive",
+	"postAttachCommand": "pnpm turbo daemon clean; pnpm turbo watch lint test:unit",
+	"customizations": {
+		"jetbrains": {
+			"settings": {
+				"com.intellij:app:HttpConfigurable.use_proxy_pac": true
+			}
+		}
+	}
+}

.devcontainer/turbo-lint-unit-debug/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+  turbo-lint-unit-debug:
+    extends:
+      file: ../base/docker-compose.yml
+      service: devcontainer
+    container_name: turbo-lint-unit-debug

.devcontainer/turbo-lint-unit/devcontainer.json

@@ -0,0 +1,18 @@
+{
+	"$schema": "https://raw.githubusercontent.com/devcontainers/spec/refs/heads/main/schemas/devContainer.schema.json",
+	"name": "turbo-lint-unit",
+	"dockerComposeFile": [
+		"../base/docker-compose.yml"
+	],
+	"service": "devcontainer",
+	"runServices": ["devcontainer"],
+	"workspaceFolder": "/workspaces",
+	"postStartCommand": "pnpm install --frozen-lockfile --recursive && pnpm turbo lint test:unit",
+	"customizations": {
+		"jetbrains": {
+			"settings": {
+				"com.intellij:app:HttpConfigurable.use_proxy_pac": true
+			}
+		}
+	}
+}