Merge branch 'main' into chore/depot

.github/workflows/backend-linter.yml

@@ -17,14 +17,15 @@ permissions:
   pull-requests: read
   # Optional: allow write access to checks to allow the action to annotate code in the PR.
   checks: write
+  id-token: write
 
 jobs:
   golangci-lint:
     name: Run Golangci-lint
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6

.github/workflows/build-next.yml

@@ -9,43 +9,39 @@ concurrency:
   group: build-next-image
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  attestations: write
+
 jobs:
   build-next:
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
-    permissions:
+
-      contents: read
+    env:
-      packages: write
+      CONTAINER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/pocket-id
-      id-token: write
+
-      attestations: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 24
+          cache: "pnpm"
 
       - name: Setup Go
         uses: actions/setup-go@v6
         with:
           go-version-file: "backend/go.mod"
 
-      - name: Set up QEMU
+      - name: Set up Depot CLI
-        uses: docker/setup-qemu-action@v3
+        uses: depot/setup-action@v1
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Set DOCKER_IMAGE_NAME
-        run: |
-          # Lowercase REPO_OWNER which is required for containers
-          REPO_OWNER=${{ github.repository_owner }}
-          DOCKER_IMAGE_NAME="ghcr.io/${REPO_OWNER,,}/pocket-id"
-          echo "DOCKER_IMAGE_NAME=${DOCKER_IMAGE_NAME}" >>${GITHUB_ENV}
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
@@ -54,6 +50,40 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Container Image Metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.CONTAINER_IMAGE_NAME }}
+          tags: |
+            type=raw,value=next
+          labels: |
+            org.opencontainers.image.authors=Pocket ID
+            org.opencontainers.image.url=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md
+            org.opencontainers.image.source=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.version=next
+            org.opencontainers.image.licenses=BSD-2-Clause
+            org.opencontainers.image.ref.name=pocket-id
+            org.opencontainers.image.title=Pocket ID
+
+      - name: Container Image Metadata
+        id: distroless-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.CONTAINER_IMAGE_NAME }}
+          tags: |
+            type=raw,value=next-distroless
+          labels: |
+            org.opencontainers.image.authors=Pocket ID
+            org.opencontainers.image.url=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md
+            org.opencontainers.image.source=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.version=next-distroless
+            org.opencontainers.image.licenses=BSD-2-Clause
+            org.opencontainers.image.ref.name=pocket-id
+            org.opencontainers.image.title=Pocket ID
+
       - name: Install frontend dependencies
         run: pnpm install --frozen-lockfile
 
@@ -66,31 +96,40 @@ jobs:
 
       - name: Build and push container image
         id: build-push-image
-        uses: docker/build-push-action@v6
+        uses: depot/build-push-action@v1
         with:
           context: .
+          file: docker/Dockerfile-prebuilt
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: ${{ env.DOCKER_IMAGE_NAME }}:next
+          tags: ${{ steps.meta.outputs.tags }}
-          file: docker/Dockerfile-prebuilt
+          labels: ${{ steps.meta.outputs.labels }}
+          sbom: true
+          provenance: true
+
       - name: Build and push container image (distroless)
-        uses: docker/build-push-action@v6
+        uses: depot/build-push-action@v1
         id: container-build-push-distroless
         with:
           context: .
+          file: docker/Dockerfile-distroless
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: ${{ env.DOCKER_IMAGE_NAME }}:next-distroless
+          tags: ${{ steps.distroless-meta.outputs.tags }}
-          file: docker/Dockerfile-distroless
+          labels: ${{ steps.distroless-meta.outputs.labels }}
+          sbom: true
+          provenance: true
+
       - name: Container image attestation
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: "${{ env.CONTAINER_IMAGE_NAME }}"
           subject-digest: ${{ steps.build-push-image.outputs.digest }}
           push-to-registry: true
+
       - name: Container image attestation (distroless)
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: "${{ env.CONTAINER_IMAGE_NAME }}"
           subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }}
           push-to-registry: true

.github/workflows/e2e-tests.yml

@@ -13,47 +13,15 @@ on:
       - "**.md"
       - ".github/**"
 
+permissions:
+  contents: read
+  actions: write
+  id-token: write
+
 jobs:
-  build:
-    if: github.event.pull_request.head.ref != 'i18n_crowdin'
-    timeout-minutes: 20
-    permissions:
-      contents: read
-      actions: write
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Build and export
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/Dockerfile
-          push: false
-          load: false
-          tags: pocket-id:test
-          outputs: type=docker,dest=/tmp/docker-image.tar
-          build-args: BUILD_TAGS=e2etest
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Upload Docker image artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: docker-image
-          path: /tmp/docker-image.tar
-          retention-days: 1
-
   test:
     if: github.event.pull_request.head.ref != 'i18n_crowdin'
-    permissions:
+    runs-on: depot-ubuntu-24.04-32
-      contents: read
-      actions: write
-    runs-on: ubuntu-latest
-    needs: build
     strategy:
       fail-fast: false
       matrix:
@@ -70,15 +38,22 @@ jobs:
             storage: database
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 24
+          cache: "pnpm"
+
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+
+      - name: Set up Depot Docker builder
+        run: depot configure-docker
 
       - name: Cache Playwright Browsers
         uses: actions/cache@v4
@@ -102,21 +77,6 @@ jobs:
         if: matrix.db == 'postgres' && steps.postgres-cache.outputs.cache-hit == 'true'
         run: docker load < /tmp/postgres-image.tar
 
-      - name: Cache LLDAP Docker image
-        uses: actions/cache@v4
-        id: lldap-cache
-        with:
-          path: /tmp/lldap-image.tar
-          key: lldap-stable-${{ runner.os }}
-      - name: Pull and save LLDAP image
-        if: steps.lldap-cache.outputs.cache-hit != 'true'
-        run: |
-          docker pull lldap/lldap:2025-05-19
-          docker save lldap/lldap:2025-05-19 > /tmp/lldap-image.tar
-      - name: Load LLDAP image
-        if: steps.lldap-cache.outputs.cache-hit == 'true'
-        run: docker load < /tmp/lldap-image.tar
-
       - name: Cache SCIM Test Server Docker image
         uses: actions/cache@v4
         id: scim-cache
@@ -148,31 +108,6 @@ jobs:
         if: matrix.storage == 's3' && steps.s3-cache.outputs.cache-hit == 'true'
         run: docker load < /tmp/localstack-s3-image.tar
 
-      - name: Cache AWS CLI Docker image
-        if: matrix.storage == 's3'
-        uses: actions/cache@v4
-        id: aws-cli-cache
-        with:
-          path: /tmp/aws-cli-image.tar
-          key: aws-cli-latest-${{ runner.os }}
-      - name: Pull and save AWS CLI image
-        if: matrix.storage == 's3' && steps.aws-cli-cache.outputs.cache-hit != 'true'
-        run: |
-          docker pull amazon/aws-cli:latest
-          docker save amazon/aws-cli:latest > /tmp/aws-cli-image.tar
-      - name: Load AWS CLI image
-        if: matrix.storage == 's3' && steps.aws-cli-cache.outputs.cache-hit == 'true'
-        run: docker load < /tmp/aws-cli-image.tar
-
-      - name: Download Docker image artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: docker-image
-          path: /tmp
-
-      - name: Load Docker image
-        run: docker load -i /tmp/docker-image.tar
-
       - name: Install test dependencies
         run: pnpm --filter pocket-id-tests install --frozen-lockfile
 
@@ -198,7 +133,7 @@ jobs:
             DOCKER_COMPOSE_FILE=docker-compose-s3.yml
           fi
 
-          docker compose -f "$DOCKER_COMPOSE_FILE" up -d
+          docker compose -f "$DOCKER_COMPOSE_FILE" up -d --build
 
           {
             LOG_FILE="/tmp/backend.log"

.github/workflows/release.yml

@@ -5,42 +5,46 @@ on:
     tags:
       - "v*.*.*"
 
+permissions:
+  contents: write
+  packages: write
+  attestations: write
+  id-token: write
+
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-24.04-16
-    permissions:
+
-      contents: write
+    env:
-      packages: write
+      CONTAINER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/pocket-id
-      attestations: write
+
-      id-token: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
+
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
+
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 24
+          cache: "pnpm"
+
       - uses: actions/setup-go@v6
         with:
           go-version-file: "backend/go.mod"
-      - name: Set up QEMU
+
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Set DOCKER_IMAGE_NAME
-        run: |
-          # Lowercase REPO_OWNER which is required for containers
-          REPO_OWNER=${{ github.repository_owner }}
-          DOCKER_IMAGE_NAME="ghcr.io/${REPO_OWNER,,}/pocket-id"
-          echo "DOCKER_IMAGE_NAME=${DOCKER_IMAGE_NAME}" >>${GITHUB_ENV}
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{github.repository_owner}}
           password: ${{secrets.GITHUB_TOKEN}}
+
       - name: Docker metadata
         id: meta
         uses: docker/metadata-action@v5
@@ -51,59 +55,89 @@ jobs:
             type=semver,pattern={{version}},prefix=v
             type=semver,pattern={{major}}.{{minor}},prefix=v
             type=semver,pattern={{major}},prefix=v
+          labels: |
+            org.opencontainers.image.authors=Pocket ID
+            org.opencontainers.image.url=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md
+            org.opencontainers.image.source=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.version=next
+            org.opencontainers.image.licenses=BSD-2-Clause
+            org.opencontainers.image.ref.name=pocket-id
+            org.opencontainers.image.title=Pocket ID
+
       - name: Docker metadata (distroless)
         id: meta-distroless
         uses: docker/metadata-action@v5
         with:
           images: |
-            ${{ env.DOCKER_IMAGE_NAME }}
+            ${{ env.CONTAINER_IMAGE_NAME }}
           flavor: |
             suffix=-distroless,onlatest=true
           tags: |
             type=semver,pattern={{version}},prefix=v
             type=semver,pattern={{major}}.{{minor}},prefix=v
             type=semver,pattern={{major}},prefix=v
+          labels: |
+            org.opencontainers.image.authors=Pocket ID
+            org.opencontainers.image.url=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md
+            org.opencontainers.image.source=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.version=next-distroless
+            org.opencontainers.image.licenses=BSD-2-Clause
+            org.opencontainers.image.ref.name=pocket-id
+            org.opencontainers.image.title=Pocket ID
+
       - name: Install frontend dependencies
         run: pnpm --filter pocket-id-frontend install --frozen-lockfile
+
       - name: Build frontend
         run: pnpm --filter pocket-id-frontend build
 
       - name: Build binaries
         run: sh scripts/development/build-binaries.sh
+
       - name: Build and push container image
-        uses: docker/build-push-action@v6
+        uses: depot/build-push-action@v1
         id: container-build-push
         with:
           context: .
+          file: docker/Dockerfile-prebuilt
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          file: docker/Dockerfile-prebuilt
+          sbom: true
+          provenance: true
+
       - name: Build and push container image (distroless)
-        uses: docker/build-push-action@v6
+        uses: depot/build-push-action@v1
         id: container-build-push-distroless
         with:
           context: .
+          file: docker/Dockerfile-distroless
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta-distroless.outputs.tags }}
           labels: ${{ steps.meta-distroless.outputs.labels }}
-          file: docker/Dockerfile-distroless
+          sbom: true
+          provenance: true
+
       - name: Binary attestation
         uses: actions/attest-build-provenance@v2
         with:
           subject-path: "backend/.bin/pocket-id-**"
+
       - name: Container image attestation
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: "${{ env.CONTAINER_IMAGE_NAME }}"
           subject-digest: ${{ steps.container-build-push.outputs.digest }}
           push-to-registry: true
+
       - name: Container image attestation (distroless)
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: "${{ env.CONTAINER_IMAGE_NAME }}"
           subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }}
           push-to-registry: true
       - name: Upload binaries to release
@@ -112,14 +146,12 @@ jobs:
         run: gh release upload ${{ github.ref_name }} backend/.bin/*
 
   publish-release:
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
     needs: [build]
-    permissions:
-      contents: write
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Mark release as published
         run: gh release edit ${{ github.ref_name }} --draft=false

.github/workflows/svelte-check.yml

@@ -21,28 +21,31 @@ on:
       - "frontend/svelte.config.js"
   workflow_dispatch:
 
+permissions:
+  contents: read
+  checks: write
+  pull-requests: write
+  id-token: write
+
 jobs:
   type-check:
     name: Run Svelte Check
     # Don't run on dependabot branches
     if: github.actor != 'dependabot[bot]'
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
-    permissions:
-      contents: read
-      checks: write
-      pull-requests: write
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 24
+          cache: "pnpm"
 
       - name: Install dependencies
         run: pnpm --filter pocket-id-frontend install --frozen-lockfile

.github/workflows/unit-tests.yml

@@ -9,14 +9,16 @@ on:
     paths:
       - "backend/**"
 
+permissions:
+  contents: read
+  id-token: write
+  actions: write
+
 jobs:
   test-backend:
-    permissions:
+    runs-on: depot-ubuntu-latest
-      contents: read
-      actions: write
-    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: "backend/go.mod"

.github/workflows/update-aaguids.yml

@@ -8,14 +8,15 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  id-token: write
 
 jobs:
   update-aaguids:
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Fetch JSON data
         run: |

depot.json

@@ -0,0 +1 @@
+{ "id": "c36t29j6bz" }

docker/Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1.7
+
 # This file uses multi-stage builds to build the application from source, including the front-end
 
 # Tags passed to "go build"
@@ -9,27 +11,33 @@ RUN corepack enable
 
 WORKDIR /build
 
-COPY pnpm-workspace.yaml pnpm-lock.yaml ./
+COPY package.json pnpm-workspace.yaml pnpm-lock.yaml ./
 COPY frontend/package.json ./frontend/
-RUN pnpm --filter pocket-id-frontend install --frozen-lockfile
+RUN --mount=type=cache,target=/root/.local/share/pnpm/store \
+  pnpm --filter pocket-id-frontend install --frozen-lockfile
 
 COPY ./frontend ./frontend/
 
-RUN BUILD_OUTPUT_PATH=dist pnpm --filter pocket-id-frontend run build
+RUN --mount=type=cache,target=/build/frontend/node_modules/.vite \
+  --mount=type=cache,target=/build/frontend/.svelte-kit \
+  BUILD_OUTPUT_PATH=dist pnpm --filter pocket-id-frontend run build
 
 # Stage 2: Build Backend
 FROM golang:1.26-alpine AS backend-builder
 ARG BUILD_TAGS
 WORKDIR /build
 COPY ./backend/go.mod ./backend/go.sum ./
-RUN go mod download
+RUN --mount=type=cache,target=/go/pkg/mod \
+  go mod download
 
 COPY ./backend ./
 COPY --from=frontend-builder /build/frontend/dist ./frontend/dist
 COPY .version .version
 
 WORKDIR /build/cmd
-RUN VERSION=$(cat /build/.version) \ 
+RUN --mount=type=cache,target=/go/pkg/mod \
+  --mount=type=cache,target=/root/.cache/go-build \
+  VERSION=$(cat /build/.version) && \
   CGO_ENABLED=0 \
   GOOS=linux \
   go build \

tests/setup/docker-compose-s3.yml

@@ -9,21 +9,21 @@ services:
       service: scim-test-server
   localstack-s3:
     image: localstack/localstack:s3-latest
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localstack-s3:4566"]
-      interval: 1s
-      timeout: 3s
-      retries: 10
-  create-bucket:
-    image: amazon/aws-cli:latest
     environment:
       AWS_ACCESS_KEY_ID: test
       AWS_SECRET_ACCESS_KEY: test
       AWS_DEFAULT_REGION: us-east-1
-    depends_on:
+    volumes:
-      localstack-s3:
+      - ./localstack-init-s3.py:/etc/localstack/init/ready.d/10-init-s3.py
-        condition: service_healthy
+    healthcheck:
-    entrypoint: "aws --endpoint-url=http://localstack-s3:4566 s3 mb s3://pocket-id-test"
+      test:
+        [
+          "CMD-SHELL",
+          'curl -fs http://localstack-s3:4566/_localstack/init/ready | grep -q ''"completed": true''',
+        ]
+      interval: 1s
+      timeout: 3s
+      retries: 10
   pocket-id:
     extends:
       file: docker-compose.yml
@@ -37,8 +37,8 @@ services:
       S3_SECRET_ACCESS_KEY: test
       S3_FORCE_PATH_STYLE: true
     depends_on:
-      create-bucket:
+      localstack-s3:
-        condition: service_completed_successfully
+        condition: service_healthy
 
 volumes:
   pocket-id-test-data:

tests/setup/localstack-init-s3.py

@@ -0,0 +1,22 @@
+import boto3
+from botocore.exceptions import ClientError
+
+BUCKET_NAME = "pocket-id-test"
+
+
+def main() -> None:
+    s3 = boto3.client(
+        "s3",
+        endpoint_url="http://localhost:4566",
+        aws_access_key_id="test",
+        aws_secret_access_key="test",
+        region_name="us-east-1",
+    )
+
+    try:
+        s3.head_bucket(Bucket=BUCKET_NAME)
+    except ClientError:
+        s3.create_bucket(Bucket=BUCKET_NAME)
+
+
+main()