TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 14:27:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: use DEPOT_TOKEN secret (#10237)

Browse Source 
# Which Problems Are Solved

Action runs on PRs from forks can't authenticate at depot.

# How the Problems Are Solved

- The GitHub secret DEPOT_TOKEN is statically passed as env variable to
the steps that use the depot CLI, as described
[here](https://github.com/depot/setup-action#authentication).
- Removed the oidc argument from the depot/setup-action, as we pass the
env statically to the relevant steps.
- The `id-token: write` permission is removed from all workflows, as
it's not needed anymore.

# Additional Changes

Removed the obsolete comment
```yaml
# latest if branch is main, otherwise image version which is the pull request number
```

# Additional Context

Required by these approved PRs so their checks can be executed:
- https://github.com/zitadel/zitadel/pull/9982
- https://github.com/zitadel/zitadel/pull/9958
This commit is contained in:
Elio Bischof
2025-07-15 15:40:27 +02:00
committed by GitHub
parent c4e0342c5f
commit ee13d4be7d
4 changed files with 20 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/build.yml vendored
View File

@@ -19,7 +19,6 @@ permissions:
issues: write issues: write
pull-requests: write pull-requests: write
actions: write actions: write
id-token: write
jobs: jobs:
core: core:
@@ -50,6 +49,8 @@ jobs:
console_cache_path: ${{ needs.console.outputs.cache_path }} console_cache_path: ${{ needs.console.outputs.cache_path }}
version: ${{ needs.version.outputs.version }} version: ${{ needs.version.outputs.version }}
node_version: "20" node_version: "20"
secrets:
DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
core-unit-test: core-unit-test:
needs: core needs: core
@@ -88,6 +89,8 @@ jobs:
with: with:
ignore-run-cache: ${{ github.event_name == 'workflow_dispatch' || fromJSON(github.run_attempt) > 1 }} ignore-run-cache: ${{ github.event_name == 'workflow_dispatch' || fromJSON(github.run_attempt) > 1 }}
node_version: "20" node_version: "20"
secrets:
DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
container: container:
needs: [compile] needs: [compile]
@@ -108,6 +111,8 @@ jobs:
with: with:
login_build_image_name: "ghcr.io/zitadel/zitadel-login-build" login_build_image_name: "ghcr.io/zitadel/zitadel-login-build"
node_version: "20" node_version: "20"
secrets:
DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
e2e: e2e:
uses: ./.github/workflows/e2e.yml uses: ./.github/workflows/e2e.yml

8
.github/workflows/compile.yml vendored
View File

@@ -21,6 +21,10 @@ on:
node_version: node_version:
required: true required: true
type: string type: string
secrets:
DEPOT_TOKEN:
required: true
jobs: jobs:
executable: executable:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -83,12 +87,10 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
- -
uses: depot/setup-action@v1 uses: depot/setup-action@v1
with:
oidc: true
- -
run: make login_standalone_out run: make login_standalone_out
env: env:
# latest if branch is main, otherwise image version which is the pull request number DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
LOGIN_BAKE_CLI: depot bake LOGIN_BAKE_CLI: depot bake
DEPOT_PROJECT_ID: w47wkxzdtw DEPOT_PROJECT_ID: w47wkxzdtw
NODE_VERSION: ${{ inputs.node_version }} NODE_VERSION: ${{ inputs.node_version }}

7
.github/workflows/login-container.yml vendored
View File

@@ -14,6 +14,9 @@ on:
login_build_image: login_build_image:
description: 'The full image tag of the standalone login image' description: 'The full image tag of the standalone login image'
value: '${{ inputs.login_build_image_name }}:${{ github.sha }}' value: '${{ inputs.login_build_image_name }}:${{ github.sha }}'
secrets:
DEPOT_TOKEN:
required: true
permissions: permissions:
packages: write packages: write
@@ -29,13 +32,10 @@ jobs:
name: Build Login Container name: Build Login Container
runs-on: depot-ubuntu-22.04-8 runs-on: depot-ubuntu-22.04-8
permissions: permissions:
id-token: write
packages: write packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: depot/setup-action@v1 - uses: depot/setup-action@v1
with:
oidc: true
- name: Login meta - name: Login meta
id: login-meta id: login-meta
uses: docker/metadata-action@v5 uses: docker/metadata-action@v5
@@ -55,6 +55,7 @@ jobs:
- name: Bake login multi-arch - name: Bake login multi-arch
uses: depot/bake-action@v1 uses: depot/bake-action@v1
env: env:
DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
NODE_VERSION: ${{ inputs.node_version }} NODE_VERSION: ${{ inputs.node_version }}
with: with:
push: true push: true

9
.github/workflows/login-quality.yml vendored
View File

@@ -10,21 +10,22 @@ on:
node_version: node_version:
required: true required: true
type: string type: string
secrets:
DEPOT_TOKEN:
required: true
jobs: jobs:
quality: quality:
name: Ensure Quality name: Ensure Quality
runs-on: depot-ubuntu-22.04-8 runs-on: depot-ubuntu-22.04-8
timeout-minutes: 30 timeout-minutes: 30
permissions: permissions:
id-token: write
actions: write actions: write
env: env:
CACHE_DIR: /tmp/login-run-caches CACHE_DIR: /tmp/login-run-caches
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: depot/setup-action@v1 - uses: depot/setup-action@v1
with:
oidc: true
- name: Restore Run Caches - name: Restore Run Caches
uses: actions/cache/restore@v4 uses: actions/cache/restore@v4
id: run-caches-restore id: run-caches-restore
@@ -45,7 +46,7 @@ jobs:
mv zitadel-linux-amd64/zitadel ./zitadel mv zitadel-linux-amd64/zitadel ./zitadel
- run: make login_quality - run: make login_quality
env: env:
# latest if branch is main, otherwise image version which is the pull request number DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
LOGIN_BAKE_CLI: depot bake LOGIN_BAKE_CLI: depot bake
DEPOT_PROJECT_ID: w47wkxzdtw DEPOT_PROJECT_ID: w47wkxzdtw
IGNORE_RUN_CACHE: ${{ github.event.inputs.ignore-run-cache }} IGNORE_RUN_CACHE: ${{ github.event.inputs.ignore-run-cache }}