feat: Replace Zitadel with Logto as OIDC identity provider #146

Workflow file for this run

	name: CI

	on:
	pull_request:
	push:
	branches: [main]
	tags: ['*']

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: ${{ github.event_name == 'pull_request' }}

	jobs:
	# ============================================
	# LAYER 1: PARALLEL CI JOBS
	# ============================================

	format:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	- uses: ./.github/actions/setup-bun
	- run: bun run format:check

	lint:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	- uses: ./.github/actions/setup-bun
	- run: bunx svelte-kit sync
	- run: bun run lint

	test:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	- uses: ./.github/actions/setup-bun
	- run: bunx svelte-kit sync
	- run: bun run test

	i18n:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	- uses: ./.github/actions/setup-bun
	- run: bun run i18n:check
	- run: bun run i18n:validate

	security:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	- uses: ./.github/actions/setup-bun
	- uses: aquasecurity/trivy-action@v0.35.0
	with:
	scan-type: 'fs'
	scan-ref: '.'
	exit-code: 1
	format: 'table'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	trivyignores: .trivyignore
	version: 'v0.69.3'
	scanners: ${{ github.event_name == 'pull_request' && 'vuln,license' \|\| 'vuln,secret,misconfig,license' }}

	typecheck:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	- uses: ./.github/actions/setup-bun
	- run: bunx svelte-kit sync
	- run: bunx prisma generate
	- run: bunx @inlang/paraglide-js compile --project ./project.inlang --outdir ./src/lib/paraglide --strategy url baseLocale
	- run: bunx houdini generate
	- run: bun run check

	build:
	if: github.event_name == 'pull_request'
	runs-on: ubuntu-latest
	env:
	NODE_OPTIONS: '--max-old-space-size=8192'
	steps:
	- uses: actions/checkout@v5
	- uses: ./.github/actions/setup-bun
	- run: bunx svelte-kit sync
	- run: bunx prisma generate
	- run: bunx @inlang/paraglide-js compile --project ./project.inlang --outdir ./src/lib/paraglide --strategy url baseLocale
	- run: bunx houdini generate
	- run: bun run build

	# ============================================
	# LAYER 2: DOCKER BUILD (push only)
	# ============================================

	docker-build:
	if: github.event_name == 'push'
	needs: [format, lint, test, i18n, security, typecheck]
	runs-on: ubuntu-latest
	env:
	SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
	SENTRY_URL: ${{ secrets.SENTRY_URL }}
	steps:
	- uses: actions/checkout@v5

	- uses: docker/setup-buildx-action@v3

	- uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	ghcr.io/${{ github.repository }}
	deutschemodelunitednations/delegator
	tags: \|
	type=ref,event=branch
	type=semver,pattern={{version}}
	type=semver,pattern={{major}}.{{minor}}
	type=semver,pattern={{major}}

	- id: build
	uses: docker/build-push-action@v5
	with:
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha
	cache-to: type=gha,mode=max
	build-args: \|
	VERSION=${{ github.ref_name }}
	SHA=${{ github.sha }}

	- id: split-tags
	run: echo "fragment=$(echo "${DOCKER_METADATA_OUTPUT_TAGS}" \| head -n 1)" >> "$GITHUB_OUTPUT"

	- uses: aquasecurity/trivy-action@v0.35.0
	with:
	image-ref: ${{ steps.split-tags.outputs.fragment }}
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	trivyignores: .trivyignore
	version: 'v0.69.3'
	scanners: 'vuln,secret,misconfig'

	- name: Upload sourcemaps to Bugsink
	if: github.ref_type == 'tag' && env.SENTRY_AUTH_TOKEN != '' && env.SENTRY_URL != ''
	env:
	SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT \|\| 'delegator' }}
	run: \|
	echo "::group::Extracting build artifacts from Docker image"
	CONTAINER_ID=$(docker create ${{ steps.split-tags.outputs.fragment }})
	mkdir -p ./build-artifacts
	docker cp "$CONTAINER_ID:/run/build" ./build-artifacts/
	docker rm "$CONTAINER_ID"
	echo "Extracted build artifacts to ./build-artifacts/build"
	ls -la ./build-artifacts/build
	echo "::endgroup::"

	echo "::group::Installing sentry-cli v2 (v3 has Bugsink compatibility issues)"
	npm install -g @sentry/cli@2
	echo "::endgroup::"

	echo "::group::Injecting debug IDs into sourcemaps"
	sentry-cli sourcemaps inject ./build-artifacts/build
	echo "::endgroup::"

	echo "::group::Uploading sourcemaps to Bugsink (project: $SENTRY_PROJECT)"
	sentry-cli --url "$SENTRY_URL" sourcemaps \
	--org bugsinkhasnoorgs \
	--project "$SENTRY_PROJECT" \
	upload ./build-artifacts/build
	echo "Sourcemaps uploaded successfully"
	echo "::endgroup::"

	- name: Sourcemap upload skipped
	if: github.ref_type == 'tag' && (env.SENTRY_AUTH_TOKEN == '' \|\| env.SENTRY_URL == '')
	run: \|
	echo "::warning::Sourcemap upload skipped - SENTRY_AUTH_TOKEN or SENTRY_URL not configured"
	echo "To enable sourcemap uploads, add the following secrets to your repository:"
	echo " - SENTRY_AUTH_TOKEN: Your Bugsink authentication token"
	echo " - SENTRY_URL: Your Bugsink instance URL (e.g., https://bugsink.example.com/)"

	docker-build-tasks:
	if: github.event_name == 'push'
	needs: [format, lint, test, i18n, security, typecheck]
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	with:
	fetch-depth: 2

	# Path filter: only build when task-relevant files changed
	- uses: dorny/paths-filter@v3
	id: changes
	with:
	filters: \|
	tasks:
	- 'src/tasks/**'
	- 'src/api/services/**'
	- 'src/lib/services/formatNames.ts'
	- 'prisma/schema.prisma'
	- 'scripts/tasksBuild.ts'
	- 'Dockerfile.tasks'
	- 'package.json'
	- 'bun.lock'

	# Always build on tag push (release), conditionally on branch push
	- if: steps.changes.outputs.tasks == 'true' \|\| github.ref_type == 'tag'
	uses: docker/setup-buildx-action@v3

	- if: steps.changes.outputs.tasks == 'true' \|\| github.ref_type == 'tag'
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- if: steps.changes.outputs.tasks == 'true' \|\| github.ref_type == 'tag'
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- if: steps.changes.outputs.tasks == 'true' \|\| github.ref_type == 'tag'
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	ghcr.io/${{ github.repository }}-tasks
	deutschemodelunitednations/delegator-tasks
	tags: \|
	type=ref,event=branch
	type=semver,pattern={{version}}
	type=semver,pattern={{major}}.{{minor}}
	type=semver,pattern={{major}}

	- if: steps.changes.outputs.tasks == 'true' \|\| github.ref_type == 'tag'
	uses: docker/build-push-action@v5
	with:
	file: Dockerfile.tasks
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha,scope=tasks
	cache-to: type=gha,mode=max,scope=tasks

	- if: steps.changes.outputs.tasks == 'true' \|\| github.ref_type == 'tag'
	id: split-tags
	run: echo "fragment=$(echo "${DOCKER_METADATA_OUTPUT_TAGS}" \| head -n 1)" >> "$GITHUB_OUTPUT"

	- if: steps.changes.outputs.tasks == 'true' \|\| github.ref_type == 'tag'
	uses: aquasecurity/trivy-action@v0.35.0
	with:
	image-ref: ${{ steps.split-tags.outputs.fragment }}
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	trivyignores: .trivyignore
	version: 'v0.69.3'
	scanners: 'vuln,secret,misconfig'

	# ============================================
	# LAYER 3: RELEASE (tag push only)
	# ============================================

	release:
	if: github.ref_type == 'tag'
	needs: [docker-build, docker-build-tasks]
	runs-on: ubuntu-latest
	permissions:
	contents: write
	steps:
	- uses: actions/checkout@v5

	- name: Extract version
	id: version
	run: echo "number=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"

	- uses: softprops/action-gh-release@v2
	with:
	generate_release_notes: true
	body: \|
	<div align="center">

	# MUNify Delegator `${{ github.ref_name }}`

	[![SvelteKit](https://img.shields.io/badge/SvelteKit-FF3E00?style=for-the-badge&logo=svelte&logoColor=white)](https://svelte.dev)
	[![Prisma](https://img.shields.io/badge/Prisma-2D3748?style=for-the-badge&logo=prisma&logoColor=white)](https://www.prisma.io)
	[![GraphQL](https://img.shields.io/badge/GraphQL-E10098?style=for-the-badge&logo=graphql&logoColor=white)](https://graphql.org)
	[![Docker](https://img.shields.io/badge/Docker-2496ED?style=for-the-badge&logo=docker&logoColor=white)](https://hub.docker.com/r/deutschemodelunitednations/delegator)

	</div>

	### Docker images

	```bash
	# App
	docker pull ghcr.io/${{ github.repository }}:${{ steps.version.outputs.number }}

	# Background tasks
	docker pull ghcr.io/${{ github.repository }}-tasks:${{ steps.version.outputs.number }}
	```

	<details><summary>DockerHub mirror</summary>

	```bash
	docker pull deutschemodelunitednations/delegator:${{ steps.version.outputs.number }}
	docker pull deutschemodelunitednations/delegator-tasks:${{ steps.version.outputs.number }}
	```

	</details>


	---

	<div align="center">
	<sub>A project by <a href="https://dmun.de">Deutsche Model United Nations (DMUN) e.V.</a></sub>
	<br>
	<sub>Proudly free and open source — built for the MUN community worldwide 🌍</sub>
	</div>
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Replace Zitadel with Logto as OIDC identity provider #146

Workflow file

feat: Replace Zitadel with Logto as OIDC identity provider #146

Uh oh!

Workflow file for this run