From ee13d4be7dfd91c57df594aa3abcb8583abaeeb3 Mon Sep 17 00:00:00 2001
From: Elio Bischof <elio@zitadel.com>
Date: Tue, 15 Jul 2025 15:40:27 +0200
Subject: [PATCH] chore: use DEPOT_TOKEN secret (#10237)

# Which Problems Are Solved

Action runs on PRs from forks can't authenticate at depot.

# How the Problems Are Solved

- The GitHub secret DEPOT_TOKEN is statically passed as env variable to
the steps that use the depot CLI, as described
[here](https://github.com/depot/setup-action#authentication).
- Removed the oidc argument from the depot/setup-action, as we pass the
env statically to the relevant steps.
- The `id-token: write` permission is removed from all workflows, as
it's not needed anymore.

# Additional Changes

Removed the obsolete comment
```yaml
# latest if branch is main, otherwise image version which is the pull request number
```

# Additional Context

Required by these approved PRs so their checks can be executed:
- https://github.com/zitadel/zitadel/pull/9982
- https://github.com/zitadel/zitadel/pull/9958
---
 .github/workflows/build.yml           | 7 ++++++-
 .github/workflows/compile.yml         | 8 +++++---
 .github/workflows/login-container.yml | 7 ++++---
 .github/workflows/login-quality.yml   | 9 +++++----
 4 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 81f3104065..52551daa25 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,7 +19,6 @@ permissions:
   issues: write
   pull-requests: write
   actions: write
-  id-token: write
 
 jobs:
   core:
@@ -50,6 +49,8 @@ jobs:
       console_cache_path: ${{ needs.console.outputs.cache_path }}
       version: ${{ needs.version.outputs.version }}
       node_version: "20"
+    secrets:
+      DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
 
   core-unit-test:
     needs: core
@@ -88,6 +89,8 @@ jobs:
     with:
       ignore-run-cache:  ${{ github.event_name == 'workflow_dispatch' || fromJSON(github.run_attempt) > 1 }}
       node_version: "20"
+    secrets:
+      DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
 
   container:
     needs: [compile]
@@ -108,6 +111,8 @@ jobs:
     with:
       login_build_image_name: "ghcr.io/zitadel/zitadel-login-build"
       node_version: "20"
+    secrets:
+      DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
 
   e2e:
     uses: ./.github/workflows/e2e.yml
diff --git a/.github/workflows/compile.yml b/.github/workflows/compile.yml
index 7b64427a18..d171403028 100644
--- a/.github/workflows/compile.yml
+++ b/.github/workflows/compile.yml
@@ -21,6 +21,10 @@ on:
       node_version:
         required: true
         type: string
+    secrets:
+      DEPOT_TOKEN:
+        required: true
+
 jobs:
   executable:
     runs-on: ubuntu-latest
@@ -83,12 +87,10 @@ jobs:
       uses: actions/checkout@v4
     -
       uses: depot/setup-action@v1
-      with:
-        oidc: true
     -
       run: make login_standalone_out
       env:
-        # latest if branch is main, otherwise image version which is the pull request number
+        DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
         LOGIN_BAKE_CLI: depot bake
         DEPOT_PROJECT_ID: w47wkxzdtw
         NODE_VERSION: ${{ inputs.node_version }}
diff --git a/.github/workflows/login-container.yml b/.github/workflows/login-container.yml
index 5cc841bff4..958e0a8f5b 100644
--- a/.github/workflows/login-container.yml
+++ b/.github/workflows/login-container.yml
@@ -14,6 +14,9 @@ on:
       login_build_image:
           description: 'The full image tag of the standalone login image'
           value: '${{ inputs.login_build_image_name }}:${{ github.sha }}'
+    secrets:
+      DEPOT_TOKEN:
+        required: true
 
 permissions:
   packages: write
@@ -29,13 +32,10 @@ jobs:
     name: Build Login Container
     runs-on: depot-ubuntu-22.04-8
     permissions:
-      id-token: write
       packages: write
     steps:
       - uses: actions/checkout@v4
       - uses: depot/setup-action@v1
-        with:
-          oidc: true
       - name: Login meta
         id: login-meta
         uses: docker/metadata-action@v5
@@ -55,6 +55,7 @@ jobs:
       - name: Bake login multi-arch
         uses: depot/bake-action@v1
         env:
+          DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
           NODE_VERSION: ${{ inputs.node_version }}
         with:
           push: true
diff --git a/.github/workflows/login-quality.yml b/.github/workflows/login-quality.yml
index 0b4fea73f4..f8e45794e5 100644
--- a/.github/workflows/login-quality.yml
+++ b/.github/workflows/login-quality.yml
@@ -10,21 +10,22 @@ on:
       node_version:
         required: true
         type: string
+    secrets:
+      DEPOT_TOKEN:
+        required: true
+
 jobs:
   quality:
     name: Ensure Quality
     runs-on: depot-ubuntu-22.04-8
     timeout-minutes: 30
     permissions:
-      id-token: write
       actions: write
     env:
       CACHE_DIR: /tmp/login-run-caches
     steps:
       - uses: actions/checkout@v4
       - uses: depot/setup-action@v1
-        with:
-          oidc: true
       - name: Restore Run Caches
         uses: actions/cache/restore@v4
         id: run-caches-restore
@@ -45,7 +46,7 @@ jobs:
           mv zitadel-linux-amd64/zitadel ./zitadel
       - run: make login_quality
         env:
-          # latest if branch is main, otherwise image version which is the pull request number
+          DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
           LOGIN_BAKE_CLI: depot bake
           DEPOT_PROJECT_ID: w47wkxzdtw
           IGNORE_RUN_CACHE: ${{ github.event.inputs.ignore-run-cache }}