Skip to content

ci: doppler secrets#9236

Merged
mscolnick merged 1 commit into
mainfrom
ms/doppler-secrets
Apr 28, 2026
Merged

ci: doppler secrets#9236
mscolnick merged 1 commit into
mainfrom
ms/doppler-secrets

Conversation

@mscolnick

@mscolnick mscolnick commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

Migrating secrets to doppler from GH

Copilot AI review requested due to automatic review settings April 16, 2026 20:24
@vercel

vercel Bot commented Apr 16, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
marimo-docs Ready Ready Preview, Comment Apr 28, 2026 5:09pm

Request Review

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates GitHub Actions workflows to fetch CI/CD secrets from Doppler using GitHub OIDC instead of repository secrets.*, primarily to supply Turbo/Codecov/Vercel/App credentials during builds, tests, and releases.

Changes:

  • Add id-token: write permissions and a Doppler OIDC “Fetch secrets” step across multiple workflows.
  • Replace references to secrets.TURBO_TOKEN, secrets.CODECOV_TOKEN, and Vercel/app-key secrets with steps.secrets.outputs.*.
  • Wire fetched tokens into frontend build/lint/typecheck/test steps and Codecov/Vercel/release tagging steps.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 14 comments.

Show a summary per file
File Description
.github/workflows/test_fe.yaml Fetch Turbo token from Doppler for FE lint/typecheck/test/build jobs.
.github/workflows/test_cli.yaml Fetch Turbo/Codecov tokens from Doppler for CLI wheel build (frontend build step).
.github/workflows/test_be.yaml Fetch Codecov token from Doppler for coverage uploads on main pushes.
.github/workflows/release-tag.yml Fetch GitHub App private key from Doppler for tag creation workflow.
.github/workflows/release-prod.yml Fetch Turbo/Codecov tokens from Doppler for production release build.
.github/workflows/release-marimo-base.yml Fetch Turbo/Codecov tokens from Doppler for marimo-base release build.
.github/workflows/release-dev.yml Fetch Turbo/Codecov tokens from Doppler for dev release build.
.github/workflows/playwright.yml Fetch Turbo/Codecov tokens from Doppler for Playwright build step.
.github/workflows/marimo-bot.yml Fetch Turbo token from Doppler for bot-triggered test release workflow.
.github/workflows/docs.yml Fetch Vercel credentials from Doppler for docs build/deploy.
.github/workflows/cla.yml Fetch CLA PAT from Doppler for CLA assistant workflow.
Comment thread .github/workflows/marimo-bot.yml Outdated
Comment thread .github/workflows/test_fe.yaml Outdated
Comment thread .github/workflows/release-tag.yml Outdated
Comment thread .github/workflows/release-prod.yml Outdated
Comment thread .github/workflows/release-dev.yml Outdated
Comment thread .github/workflows/test_cli.yaml Outdated
Comment thread .github/workflows/test_cli.yaml
Comment thread .github/workflows/test_be.yaml Outdated
Comment thread .github/workflows/release-marimo-base.yml Outdated
Comment thread .github/workflows/playwright.yml
@mscolnick mscolnick force-pushed the ms/doppler-secrets branch 2 times, most recently from 8e99a6d to ce589ae Compare April 28, 2026 16:24
@mscolnick mscolnick added the internal A refactor or improvement that is not user facing label Apr 28, 2026
@mscolnick mscolnick marked this pull request as ready for review April 28, 2026 16:25
@mscolnick

Copy link
Copy Markdown
Contributor Author
@cubic-dev-ai

cubic-dev-ai Bot commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

@cubic-dev-ai

@mscolnick I have started the AI code review. It will take a few minutes to complete.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 11 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/test_be.yaml">

<violation number="1" location=".github/workflows/test_be.yaml:14">
P2: `id-token: write` is granted at workflow level, which gives every job OIDC token access. Scope this permission to only the `test_coverage` job that fetches Doppler secrets.</violation>
</file>

<file name=".github/workflows/docs.yml">

<violation number="1" location=".github/workflows/docs.yml:50">
P2: Use `VERCEL_TOKEN` in the step environment instead of passing `--token` on the CLI to reduce token exposure through process arguments.</violation>
</file>

<file name=".github/workflows/playwright.yml">

<violation number="1" location=".github/workflows/playwright.yml:14">
P2: Scope `id-token: write` to the `test` job instead of workflow-wide permissions to avoid granting unnecessary OIDC token minting rights to other jobs.</violation>
</file>
Architecture diagram
sequenceDiagram
    participant GH as GitHub Runner
    participant OIDC as GitHub OIDC Provider
    participant Doppler as Doppler Secret Manager
    participant Tool as Build/Deploy Tools (Vercel/Turbo)

    Note over GH,Tool: CI Workflow execution with Doppler OIDC

    alt NEW: Internal Branch or Main (OIDC Authorized)
        GH->>GH: Set permissions: id-token: write
        GH->>OIDC: Request JWT token for identity
        OIDC-->>GH: Return OIDC JWT

        GH->>Doppler: NEW: Fetch secrets (secrets-fetch-action)
        Note right of GH: Uses DOPPLER_IDENTITY_ID + Project Config
        Doppler->>Doppler: Validate JWT against Identity ID
        Doppler-->>GH: Return environment secrets
        
        GH->>GH: NEW: Map secrets to step outputs
    else NEW: Forked Repository PR
        Note over GH,Doppler: id-token: write is downgraded to 'read'
        GH->>GH: Skip Doppler fetch (if condition)
    end

    GH->>Tool: CHANGED: Execute Build/Deploy
    Note right of Tool: Env vars populated from ${{ steps.secrets.outputs }}

    alt Vercel Deployment
        Tool->>Tool: vercel pull --token=${DOPPLER_VERCEL_TOKEN}
    else Frontend Build
        Tool->>Tool: turbo build --token=${DOPPLER_TURBO_TOKEN}
    else CLA Signature
        Tool->>Tool: contributor-assistant (using PERSONAL_ACCESS_TOKEN)
    end

    Tool-->>GH: Step Result
Loading

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.

Comment thread .github/workflows/test_be.yaml Outdated
Comment thread .github/workflows/docs.yml Outdated
Comment thread .github/workflows/playwright.yml Outdated
@mscolnick mscolnick force-pushed the ms/doppler-secrets branch from ce589ae to 93e6f35 Compare April 28, 2026 17:08
@mscolnick mscolnick merged commit 66df270 into main Apr 28, 2026
37 of 39 checks passed
@mscolnick mscolnick deleted the ms/doppler-secrets branch April 28, 2026 19:18
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Development release published. You may be able to view the changes at https://marimo.app?v=0.23.5-dev2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

internal A refactor or improvement that is not user facing

2 participants