chore: reproducible pipeline with dev containers (#10305)

# Which Problems Are Solved

- The previous monorepo in monorepo structure for the login app and its
related packages was fragmented, complicated and buggy.
- The process for building and testing the login container was
inconsistent between local development and CI.
- Lack of clear documentation as well as easy and reliable ways for
non-frontend developers to reproduce and fix failing PR checks locally.

# How the Problems Are Solved

- Consolidated the login app and its related npm packages by moving the
main package to `apps/login/apps/login` and merging
`apps/login/packages/integration` and `apps/login/packages/acceptance`
into the main `apps/login` package.
- Migrated from Docker Compose-based test setups to dev container-based
setups, adding support for multiple dev container configurations:
  - `.devcontainer/base`
  - `.devcontainer/turbo-lint-unit`
  - `.devcontainer/turbo-lint-unit-debug`
  - `.devcontainer/login-integration`
  - `.devcontainer/login-integration-debug`
- Added npm scripts to run the new dev container setups, enabling exact
reproduction of GitHub PR checks locally, and updated the pipeline to
use these containers.
- Cleaned up Dockerfiles and docker-bake.hcl files to only build the
production image for the login app.
- Cleaned up compose files to focus on dev environments in dev
containers.
- Updated `CONTRIBUTING.md` with guidance on running and debugging PR
checks locally using the new dev container approach.
- Introduced separate Dockerfiles for the login app to distinguish
between using published client packages and building clients from local
protos.
- Ensured the login container is always built in the pipeline for use in
integration and acceptance tests.
- Updated Makefile and GitHub Actions workflows to use
`--frozen-lockfile` for installing pnpm packages, ensuring reproducible
installs.
- Disabled GitHub release creation by the changeset action.
- Refactored the `/build` directory structure for clarity and
maintainability.
- Added a `clean` command to `docks/package.json`.
- Experimentally added `knip` to the `zitadel-client` package for
improved linting of dependencies and exports.

# Additional Changes

- Fixed Makefile commands for consistency and reliability.
- Improved the structure and clarity of the `/build` directory to
support seamless integration of the login build.
- Enhanced documentation and developer experience for running and
debugging CI checks locally.

# Additional Context

- See updated `CONTRIBUTING.md` for new local development and debugging
instructions.
- These changes are a prerequisite for further improvements to the CI
pipeline and local development workflow.
- Closes #10276

packages/zitadel-client/src/helpers.ts

@@ -0,0 +1,11 @@
+import type { DescService } from "@bufbuild/protobuf";
+import { Timestamp, timestampDate } from "@bufbuild/protobuf/wkt";
+import { createClient, Transport } from "@connectrpc/connect";
+
+export function createClientFor<TService extends DescService>(service: TService) {
+  return (transport: Transport) => createClient(service, transport);
+}
+
+export function toDate(timestamp: Timestamp | undefined): Date | undefined {
+  return timestamp ? timestampDate(timestamp) : undefined;
+}

packages/zitadel-client/src/index.ts

@@ -0,0 +1,10 @@
+export { createClientFor, toDate } from "./helpers.js";
+export { NewAuthorizationBearerInterceptor } from "./interceptors.js";
+
+// TODO: Move this to `./protobuf.ts` and export it from there
+export { create, fromJson, toJson } from "@bufbuild/protobuf";
+export type { JsonObject } from "@bufbuild/protobuf";
+export type { GenService } from "@bufbuild/protobuf/codegenv1";
+export { TimestampSchema, timestampDate, timestampFromDate, timestampFromMs, timestampMs } from "@bufbuild/protobuf/wkt";
+export type { Duration, Timestamp } from "@bufbuild/protobuf/wkt";
+export type { Client, Code, ConnectError } from "@connectrpc/connect";

packages/zitadel-client/src/interceptors.test.ts

@@ -0,0 +1,67 @@
+import { Int32Value } from "@bufbuild/protobuf/wkt";
+import { compileService } from "@bufbuild/protocompile";
+import { createRouterTransport, HandlerContext } from "@connectrpc/connect";
+import { describe, expect, test, vitest } from "vitest";
+import { NewAuthorizationBearerInterceptor } from "./interceptors.js";
+
+const TestService = compileService(`
+  syntax = "proto3";
+  package handwritten;
+  service TestService {
+    rpc Unary(Int32Value) returns (StringValue);
+  }
+  message Int32Value {
+    int32 value = 1;
+  }
+  message StringValue {
+    string value = 1;
+  }
+`);
+
+describe("NewAuthorizationBearerInterceptor", () => {
+  const transport = {
+    interceptors: [NewAuthorizationBearerInterceptor("mytoken")],
+  };
+
+  test("injects the authorization token", async () => {
+    const handler = vitest.fn((request: Int32Value, _context: HandlerContext) => {
+      return { value: request.value.toString() };
+    });
+
+    const service = createRouterTransport(
+      ({ rpc }) => {
+        rpc(TestService.method.unary, handler);
+      },
+      { transport },
+    );
+
+    await service.unary(TestService.method.unary, undefined, undefined, {}, { value: 9001 });
+
+    expect(handler).toBeCalled();
+    expect(handler.mock.calls[0][1].requestHeader.get("Authorization")).toBe("Bearer mytoken");
+  });
+
+  test("do not overwrite the previous authorization token", async () => {
+    const handler = vitest.fn((request: Int32Value, _context: HandlerContext) => {
+      return { value: request.value.toString() };
+    });
+
+    const service = createRouterTransport(
+      ({ rpc }) => {
+        rpc(TestService.method.unary, handler);
+      },
+      { transport },
+    );
+
+    await service.unary(
+      TestService.method.unary,
+      undefined,
+      undefined,
+      { Authorization: "Bearer somethingelse" },
+      { value: 9001 },
+    );
+
+    expect(handler).toBeCalled();
+    expect(handler.mock.calls[0][1].requestHeader.get("Authorization")).toBe("Bearer somethingelse");
+  });
+});

packages/zitadel-client/src/interceptors.ts

@@ -0,0 +1,16 @@
+import type { Interceptor } from "@connectrpc/connect";
+
+/**
+ * Creates an interceptor that adds an Authorization header with a Bearer token.
+ * @param token
+ */
+export function NewAuthorizationBearerInterceptor(token: string): Interceptor {
+  return (next) => (req) => {
+    // TODO: I am not what is the intent of checking for the Authorization header
+    //  and setting it if it is not present.
+    if (!req.header.get("Authorization")) {
+      req.header.set("Authorization", `Bearer ${token}`);
+    }
+    return next(req);
+  };
+}

packages/zitadel-client/src/node.ts

@@ -0,0 +1,36 @@
+import { createGrpcTransport, GrpcTransportOptions } from "@connectrpc/connect-node";
+import { importPKCS8, SignJWT } from "jose";
+import { NewAuthorizationBearerInterceptor } from "./interceptors.js";
+
+/**
+ * Create a server transport using grpc with the given token and configuration options.
+ * @param token
+ * @param opts
+ */
+export function createServerTransport(token: string, opts: GrpcTransportOptions) {
+  return createGrpcTransport({
+    ...opts,
+    interceptors: [...(opts.interceptors || []), NewAuthorizationBearerInterceptor(token)],
+  });
+}
+
+export async function newSystemToken({
+  audience,
+  subject,
+  key,
+  expirationTime,
+}: {
+  audience: string;
+  subject: string;
+  key: string;
+  expirationTime?: number | string | Date;
+}) {
+  return await new SignJWT({})
+    .setProtectedHeader({ alg: "RS256" })
+    .setIssuedAt()
+    .setExpirationTime(expirationTime ?? "1h")
+    .setIssuer(subject)
+    .setSubject(subject)
+    .setAudience(audience)
+    .sign(await importPKCS8(key, "RS256"));
+}

packages/zitadel-client/src/v1.ts

@@ -0,0 +1,11 @@
+import { createClientFor } from "./helpers.js";
+
+import { AdminService } from "@zitadel/proto/zitadel/admin_pb.js";
+import { AuthService } from "@zitadel/proto/zitadel/auth_pb.js";
+import { ManagementService } from "@zitadel/proto/zitadel/management_pb.js";
+import { SystemService } from "@zitadel/proto/zitadel/system_pb.js";
+
+export const createAdminServiceClient = createClientFor(AdminService);
+export const createAuthServiceClient = createClientFor(AuthService);
+export const createManagementServiceClient = createClientFor(ManagementService);
+export const createSystemServiceClient = createClientFor(SystemService);

packages/zitadel-client/src/v2.ts

@@ -0,0 +1,27 @@
+import { create } from "@bufbuild/protobuf";
+import { FeatureService } from "@zitadel/proto/zitadel/feature/v2/feature_service_pb.js";
+import { IdentityProviderService } from "@zitadel/proto/zitadel/idp/v2/idp_service_pb.js";
+import { RequestContextSchema } from "@zitadel/proto/zitadel/object/v2/object_pb.js";
+import { OIDCService } from "@zitadel/proto/zitadel/oidc/v2/oidc_service_pb.js";
+import { OrganizationService } from "@zitadel/proto/zitadel/org/v2/org_service_pb.js";
+import { SAMLService } from "@zitadel/proto/zitadel/saml/v2/saml_service_pb.js";
+import { SessionService } from "@zitadel/proto/zitadel/session/v2/session_service_pb.js";
+import { SettingsService } from "@zitadel/proto/zitadel/settings/v2/settings_service_pb.js";
+import { UserService } from "@zitadel/proto/zitadel/user/v2/user_service_pb.js";
+
+import { createClientFor } from "./helpers.js";
+
+export const createUserServiceClient = createClientFor(UserService);
+export const createSettingsServiceClient = createClientFor(SettingsService);
+export const createSessionServiceClient = createClientFor(SessionService);
+export const createOIDCServiceClient = createClientFor(OIDCService);
+export const createSAMLServiceClient = createClientFor(SAMLService);
+export const createOrganizationServiceClient = createClientFor(OrganizationService);
+export const createFeatureServiceClient = createClientFor(FeatureService);
+export const createIdpServiceClient = createClientFor(IdentityProviderService);
+
+export function makeReqCtx(orgId: string | undefined) {
+  return create(RequestContextSchema, {
+    resourceOwner: orgId ? { case: "orgId", value: orgId } : { case: "instance", value: true },
+  });
+}

packages/zitadel-client/src/v3alpha.ts

@@ -0,0 +1,6 @@
+import { ZITADELUsers } from "@zitadel/proto/zitadel/resources/user/v3alpha/user_service_pb.js";
+import { ZITADELUserSchemas } from "@zitadel/proto/zitadel/resources/userschema/v3alpha/user_schema_service_pb.js";
+import { createClientFor } from "./helpers.js";
+
+export const createUserSchemaServiceClient = createClientFor(ZITADELUserSchemas);
+export const createUserServiceClient = createClientFor(ZITADELUsers);

packages/zitadel-client/src/web.ts

@@ -0,0 +1,15 @@
+import { GrpcTransportOptions } from "@connectrpc/connect-node";
+import { createGrpcWebTransport } from "@connectrpc/connect-web";
+import { NewAuthorizationBearerInterceptor } from "./interceptors.js";
+
+/**
+ * Create a client transport using grpc web with the given token and configuration options.
+ * @param token
+ * @param opts
+ */
+export function createClientTransport(token: string, opts: GrpcTransportOptions) {
+  return createGrpcWebTransport({
+    ...opts,
+    interceptors: [...(opts.interceptors || []), NewAuthorizationBearerInterceptor(token)],
+  });
+}