chore: use DEPOT_TOKEN secret (#10237)

# Which Problems Are Solved Action runs on PRs from forks can't authenticate at depot. # How the Problems Are Solved - The GitHub secret DEPOT_TOKEN is statically passed as env variable to the steps that use the depot CLI, as described [here](https://github.com/depot/setup-action#authentication). - Removed the oidc argument from the depot/setup-action, as we pass the env statically to the relevant steps. - The `id-token: write` permission is removed from all workflows, as it's not needed anymore. # Additional Changes Removed the obsolete comment ```yaml # latest if branch is main, otherwise image version which is the pull request number ``` # Additional Context Required by these approved PRs so their checks can be executed: - https://github.com/zitadel/zitadel/pull/9982 - https://github.com/zitadel/zitadel/pull/9958
2025-08-11 17:27:31 +00:00 · 2025-07-15 15:40:27 +02:00
parent c4e0342c5f
commit ee13d4be7d
4 changed files with 20 additions and 11 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,7 +19,6 @@ permissions:
  issues: write
  pull-requests: write
  actions: write
-  id-token: write

 jobs:
  core:
@@ -50,6 +49,8 @@ jobs:
      console_cache_path: ${{ needs.console.outputs.cache_path }}
      version: ${{ needs.version.outputs.version }}
      node_version: "20"
+    secrets:
+      DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}

  core-unit-test:
    needs: core
@@ -88,6 +89,8 @@ jobs:
    with:
      ignore-run-cache:  ${{ github.event_name == 'workflow_dispatch' || fromJSON(github.run_attempt) > 1 }}
      node_version: "20"
+    secrets:
+      DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}

  container:
    needs: [compile]
@@ -108,6 +111,8 @@ jobs:
    with:
      login_build_image_name: "ghcr.io/zitadel/zitadel-login-build"
      node_version: "20"
+    secrets:
+      DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}

  e2e:
    uses: ./.github/workflows/e2e.yml
--- a/.github/workflows/compile.yml
+++ b/.github/workflows/compile.yml
@@ -21,6 +21,10 @@ on:
      node_version:
        required: true
        type: string
+    secrets:
+      DEPOT_TOKEN:
+        required: true
+
 jobs:
  executable:
    runs-on: ubuntu-latest
@@ -83,12 +87,10 @@ jobs:
      uses: actions/checkout@v4
    -
      uses: depot/setup-action@v1
-      with:
-        oidc: true
    -
      run: make login_standalone_out
      env:
-        # latest if branch is main, otherwise image version which is the pull request number
+        DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
        LOGIN_BAKE_CLI: depot bake
        DEPOT_PROJECT_ID: w47wkxzdtw
        NODE_VERSION: ${{ inputs.node_version }}
--- a/.github/workflows/login-container.yml
+++ b/.github/workflows/login-container.yml
@@ -14,6 +14,9 @@ on:
      login_build_image:
          description: 'The full image tag of the standalone login image'
          value: '${{ inputs.login_build_image_name }}:${{ github.sha }}'
+    secrets:
+      DEPOT_TOKEN:
+        required: true

 permissions:
  packages: write
@@ -29,13 +32,10 @@ jobs:
    name: Build Login Container
    runs-on: depot-ubuntu-22.04-8
    permissions:
-      id-token: write
      packages: write
    steps:
      - uses: actions/checkout@v4
      - uses: depot/setup-action@v1
-        with:
-          oidc: true
      - name: Login meta
        id: login-meta
        uses: docker/metadata-action@v5
@@ -55,6 +55,7 @@ jobs:
      - name: Bake login multi-arch
        uses: depot/bake-action@v1
        env:
+          DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
          NODE_VERSION: ${{ inputs.node_version }}
        with:
          push: true
--- a/.github/workflows/login-quality.yml
+++ b/.github/workflows/login-quality.yml
@@ -10,21 +10,22 @@ on:
      node_version:
        required: true
        type: string
+    secrets:
+      DEPOT_TOKEN:
+        required: true
+
 jobs:
  quality:
    name: Ensure Quality
    runs-on: depot-ubuntu-22.04-8
    timeout-minutes: 30
    permissions:
-      id-token: write
      actions: write
    env:
      CACHE_DIR: /tmp/login-run-caches
    steps:
      - uses: actions/checkout@v4
      - uses: depot/setup-action@v1
-        with:
-          oidc: true
      - name: Restore Run Caches
        uses: actions/cache/restore@v4
        id: run-caches-restore
@@ -45,7 +46,7 @@ jobs:
          mv zitadel-linux-amd64/zitadel ./zitadel
      - run: make login_quality
        env:
-          # latest if branch is main, otherwise image version which is the pull request number
+          DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
          LOGIN_BAKE_CLI: depot bake
          DEPOT_PROJECT_ID: w47wkxzdtw
          IGNORE_RUN_CACHE: ${{ github.event.inputs.ignore-run-cache }}