chore: reproducible pipeline with dev containers (#10305)

# Which Problems Are Solved

- The previous monorepo in monorepo structure for the login app and its
related packages was fragmented, complicated and buggy.
- The process for building and testing the login container was
inconsistent between local development and CI.
- Lack of clear documentation as well as easy and reliable ways for
non-frontend developers to reproduce and fix failing PR checks locally.

# How the Problems Are Solved

- Consolidated the login app and its related npm packages by moving the
main package to `apps/login/apps/login` and merging
`apps/login/packages/integration` and `apps/login/packages/acceptance`
into the main `apps/login` package.
- Migrated from Docker Compose-based test setups to dev container-based
setups, adding support for multiple dev container configurations:
  - `.devcontainer/base`
  - `.devcontainer/turbo-lint-unit`
  - `.devcontainer/turbo-lint-unit-debug`
  - `.devcontainer/login-integration`
  - `.devcontainer/login-integration-debug`
- Added npm scripts to run the new dev container setups, enabling exact
reproduction of GitHub PR checks locally, and updated the pipeline to
use these containers.
- Cleaned up Dockerfiles and docker-bake.hcl files to only build the
production image for the login app.
- Cleaned up compose files to focus on dev environments in dev
containers.
- Updated `CONTRIBUTING.md` with guidance on running and debugging PR
checks locally using the new dev container approach.
- Introduced separate Dockerfiles for the login app to distinguish
between using published client packages and building clients from local
protos.
- Ensured the login container is always built in the pipeline for use in
integration and acceptance tests.
- Updated Makefile and GitHub Actions workflows to use
`--frozen-lockfile` for installing pnpm packages, ensuring reproducible
installs.
- Disabled GitHub release creation by the changeset action.
- Refactored the `/build` directory structure for clarity and
maintainability.
- Added a `clean` command to `docks/package.json`.
- Experimentally added `knip` to the `zitadel-client` package for
improved linting of dependencies and exports.

# Additional Changes

- Fixed Makefile commands for consistency and reliability.
- Improved the structure and clarity of the `/build` directory to
support seamless integration of the login build.
- Enhanced documentation and developer experience for running and
debugging CI checks locally.

# Additional Context

- See updated `CONTRIBUTING.md` for new local development and debugging
instructions.
- These changes are a prerequisite for further improvements to the CI
pipeline and local development workflow.
- Closes #10276

.github/workflows/build.yml

@@ -86,18 +86,6 @@ jobs:
       core_cache_key: ${{ needs.core.outputs.cache_key }}
       core_cache_path: ${{ needs.core.outputs.cache_path }}
 
-  login-quality:
-    needs: [compile]
-    uses: ./.github/workflows/login-quality.yml
-    permissions:
-      actions: write
-      id-token: write
-    with:
-      ignore-run-cache: ${{ github.event_name == 'workflow_dispatch' || fromJSON(github.run_attempt) > 1 }}
-      node_version: "20"
-    secrets:
-      DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
-
   container:
     needs: [compile]
     uses: ./.github/workflows/container.yml
@@ -110,7 +98,6 @@ jobs:
 
   login-container:
     uses: ./.github/workflows/login-container.yml
-    if: ${{ github.event_name == 'workflow_dispatch' }}
     permissions:
       packages: write
       id-token: write
@@ -139,7 +126,6 @@ jobs:
         lint,
         container,
         login-container,
-        login-quality,
         e2e,
       ]
     if: ${{ github.event_name == 'workflow_dispatch' }}

.github/workflows/console.yml

@@ -50,7 +50,7 @@ jobs:
           cache-dependency-path: pnpm-lock.yaml
       - if: ${{ steps.cache.outputs.cache-hit != 'true' }}
         name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
       - if: ${{ steps.cache.outputs.cache-hit != 'true' }}
         name: Build console with Turbo
         run: pnpm turbo build --filter=./console

.github/workflows/container.yml

@@ -79,7 +79,7 @@ jobs:
           context: .
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          file: build/Dockerfile
+          file: build/zitadel/Dockerfile
           target: artifact
           platforms: linux/${{ matrix.arch }}
           push: true
@@ -94,7 +94,7 @@ jobs:
           context: .
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          file: build/Dockerfile
+          file: build/zitadel/Dockerfile
           target: final
           platforms: linux/${{ matrix.arch }}
           push: true

.github/workflows/lint.yml

@@ -46,22 +46,19 @@ jobs:
         with:
           against: "https://github.com/${{ github.repository }}.git#branch=${{ github.base_ref }}"
 
-  console:
+  turbo-lint-unit:
     if: ${{ github.event_name == 'pull_request' }}
-    name: console
-    runs-on: ubuntu-latest
+    name: turbo-lint-unit
+    runs-on: depot-ubuntu-22.04-8
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
+      - name: Run lint and unit tests in dev container
+        uses: devcontainers/ci@v0.3
         with:
-          node-version: ${{ inputs.node_version }}
-          cache: "pnpm"
-          cache-dependency-path: pnpm-lock.yaml
-      - run: pnpm install --filter=console
-      - name: lint
-        run: make console_lint
+          push: never
+          configFile: .devcontainer/turbo-lint-unit/devcontainer.json
+          runCmd: echo "Successfully ran lint and unit tests in dev container postStartCommand"
 
   core:
     name: core

.github/workflows/login-container.yml

@@ -62,10 +62,9 @@ jobs:
           provenance: true
           sbom: true
           targets: login-standalone
-          set: login-*.context=./login/
           project: w47wkxzdtw
           files: |
-            ./login/docker-bake.hcl
-            ./login/docker-bake-release.hcl
+            ./apps/login/docker-bake.hcl
+            ./apps/login/docker-bake-release.hcl
             ./docker-bake.hcl
             cwd://${{ steps.login-meta.outputs.bake-file }}

.github/workflows/login-quality.yml

@@ -1,69 +0,0 @@
-name: Login Quality
-
-on:
-  workflow_call:
-    inputs:
-      ignore-run-cache:
-        description: "Ignore run caches"
-        type: boolean
-        required: true
-      node_version:
-        required: true
-        type: string
-    secrets:
-      DEPOT_TOKEN:
-        required: true
-
-jobs:
-  quality:
-    name: Ensure Quality
-    runs-on: depot-ubuntu-22.04-8
-    timeout-minutes: 30
-    permissions:
-      actions: write
-    env:
-      CACHE_DIR: /tmp/login-run-caches
-    steps:
-      - uses: actions/checkout@v4
-      - uses: depot/setup-action@v1
-      - name: Restore Run Caches
-        uses: actions/cache/restore@v4
-        id: run-caches-restore
-        with:
-          path: ${{ env.CACHE_DIR }}
-          key: ${{ runner.os }}-login-run-caches-${{github.ref_name}}-${{ github.sha }}-${{github.run_attempt}}
-          restore-keys: |
-            ${{ runner.os }}-login-run-caches-${{github.ref_name}}-${{ github.sha }}-
-            ${{ runner.os }}-login-run-caches-${{github.ref_name}}-
-            ${{ runner.os }}-login-run-caches-
-      - uses: actions/download-artifact@v4
-        with:
-          path: .artifacts
-          name: zitadel-linux-amd64
-      - name: Unpack executable
-        run: |
-          tar -xvf .artifacts/zitadel-linux-amd64.tar.gz
-          mv zitadel-linux-amd64/zitadel ./zitadel
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{ inputs.node_version }}
-          cache: "pnpm"
-          cache-dependency-path: pnpm-lock.yaml
-      - name: Install dependencies
-        run: pnpm install
-      - name: Run login quality checks with Turbo
-        run: pnpm turbo test:unit --filter=@zitadel/login
-        env:
-          DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
-          LOGIN_BAKE_CLI: depot bake
-          DEPOT_PROJECT_ID: w47wkxzdtw
-          IGNORE_RUN_CACHE: ${{ github.event.inputs.ignore-run-cache }}
-          NODE_VERSION: ${{ inputs.node_version }}
-
-      - name: Save Run Caches
-        uses: actions/cache/save@v4
-        with:
-          path: ${{ env.CACHE_DIR }}
-          key: ${{ steps.run-caches-restore.outputs.cache-primary-key }}
-        if: always()

.github/workflows/release.yml

@@ -165,7 +165,7 @@ jobs:
         run: |
           gh workflow -R zitadel/zitadel-charts run bump.yml
 
-  typescript-packages:
+  npm-packages:
     runs-on: ubuntu-latest
     needs: version
     if: ${{ github.ref_name == 'next' }}
@@ -184,7 +184,7 @@ jobs:
 
       - name: Install dependencies
         working-directory: login
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
 
       - name: Create Release Pull Request
         uses: changesets/action@v1
@@ -192,9 +192,10 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           version: ${{ needs.version.outputs.version }}
-          cwd: login
+          cwd: packages
+          createGithubReleases: false
 
-  typescript-repo:
+  login-repo:
     runs-on: ubuntu-latest
     needs: version
     if: ${{ github.ref_name == 'next' }}