ci: doppler secrets#9236
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Updates GitHub Actions workflows to fetch CI/CD secrets from Doppler using GitHub OIDC instead of repository secrets.*, primarily to supply Turbo/Codecov/Vercel/App credentials during builds, tests, and releases.
Changes:
- Add
id-token: writepermissions and a Doppler OIDC “Fetch secrets” step across multiple workflows. - Replace references to
secrets.TURBO_TOKEN,secrets.CODECOV_TOKEN, and Vercel/app-key secrets withsteps.secrets.outputs.*. - Wire fetched tokens into frontend build/lint/typecheck/test steps and Codecov/Vercel/release tagging steps.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/test_fe.yaml | Fetch Turbo token from Doppler for FE lint/typecheck/test/build jobs. |
| .github/workflows/test_cli.yaml | Fetch Turbo/Codecov tokens from Doppler for CLI wheel build (frontend build step). |
| .github/workflows/test_be.yaml | Fetch Codecov token from Doppler for coverage uploads on main pushes. |
| .github/workflows/release-tag.yml | Fetch GitHub App private key from Doppler for tag creation workflow. |
| .github/workflows/release-prod.yml | Fetch Turbo/Codecov tokens from Doppler for production release build. |
| .github/workflows/release-marimo-base.yml | Fetch Turbo/Codecov tokens from Doppler for marimo-base release build. |
| .github/workflows/release-dev.yml | Fetch Turbo/Codecov tokens from Doppler for dev release build. |
| .github/workflows/playwright.yml | Fetch Turbo/Codecov tokens from Doppler for Playwright build step. |
| .github/workflows/marimo-bot.yml | Fetch Turbo token from Doppler for bot-triggered test release workflow. |
| .github/workflows/docs.yml | Fetch Vercel credentials from Doppler for docs build/deploy. |
| .github/workflows/cla.yml | Fetch CLA PAT from Doppler for CLA assistant workflow. |
8e99a6d to
ce589ae
Compare
|
@mscolnick I have started the AI code review. It will take a few minutes to complete. |
There was a problem hiding this comment.
3 issues found across 11 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/test_be.yaml">
<violation number="1" location=".github/workflows/test_be.yaml:14">
P2: `id-token: write` is granted at workflow level, which gives every job OIDC token access. Scope this permission to only the `test_coverage` job that fetches Doppler secrets.</violation>
</file>
<file name=".github/workflows/docs.yml">
<violation number="1" location=".github/workflows/docs.yml:50">
P2: Use `VERCEL_TOKEN` in the step environment instead of passing `--token` on the CLI to reduce token exposure through process arguments.</violation>
</file>
<file name=".github/workflows/playwright.yml">
<violation number="1" location=".github/workflows/playwright.yml:14">
P2: Scope `id-token: write` to the `test` job instead of workflow-wide permissions to avoid granting unnecessary OIDC token minting rights to other jobs.</violation>
</file>
Architecture diagram
sequenceDiagram
participant GH as GitHub Runner
participant OIDC as GitHub OIDC Provider
participant Doppler as Doppler Secret Manager
participant Tool as Build/Deploy Tools (Vercel/Turbo)
Note over GH,Tool: CI Workflow execution with Doppler OIDC
alt NEW: Internal Branch or Main (OIDC Authorized)
GH->>GH: Set permissions: id-token: write
GH->>OIDC: Request JWT token for identity
OIDC-->>GH: Return OIDC JWT
GH->>Doppler: NEW: Fetch secrets (secrets-fetch-action)
Note right of GH: Uses DOPPLER_IDENTITY_ID + Project Config
Doppler->>Doppler: Validate JWT against Identity ID
Doppler-->>GH: Return environment secrets
GH->>GH: NEW: Map secrets to step outputs
else NEW: Forked Repository PR
Note over GH,Doppler: id-token: write is downgraded to 'read'
GH->>GH: Skip Doppler fetch (if condition)
end
GH->>Tool: CHANGED: Execute Build/Deploy
Note right of Tool: Env vars populated from ${{ steps.secrets.outputs }}
alt Vercel Deployment
Tool->>Tool: vercel pull --token=${DOPPLER_VERCEL_TOKEN}
else Frontend Build
Tool->>Tool: turbo build --token=${DOPPLER_TURBO_TOKEN}
else CLA Signature
Tool->>Tool: contributor-assistant (using PERSONAL_ACCESS_TOKEN)
end
Tool-->>GH: Step Result
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
ce589ae to
93e6f35
Compare
|
🚀 Development release published. You may be able to view the changes at https://marimo.app?v=0.23.5-dev2 |
Migrating secrets to doppler from GH