ci: doppler secrets (#9236)

Migrating secrets to doppler from GH

Author: mscolnick

.github/workflows/cla.yml

@@ -15,19 +15,28 @@ permissions:
   contents: write
   pull-requests: write
   statuses: write
+  id-token: write # required for Doppler OIDC
 
 jobs:
   CLAAssistant:
     runs-on: ubuntu-latest
     steps:
+      - name: 🔐 Fetch Doppler secrets
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        uses: dopplerhq/secrets-fetch-action@cd2efbf9a404504316435873eff298b82f7e0562 # v1.3.0
+        id: secrets
+        with:
+          auth-method: oidc
+          doppler-identity-id: ${{ vars.DOPPLER_IDENTITY_ID }}
+          doppler-project: marimo-oss
+          doppler-config: ci_cla
+
       - name: "CLA Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
         uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # the below token should have repo scope and must be manually added by you in the repository's secret
-          # This token is required only if you have configured to store the signatures in a remote repository/organization
-          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ steps.secrets.outputs.PERSONAL_ACCESS_TOKEN }}
         with:
           path-to-signatures: "signatures/version1/cla.json"
           path-to-document: "https://marimo.io/cla" # e.g. a CLA or a DCO document

.github/workflows/docs.yml

@@ -13,6 +13,7 @@ concurrency:
 
 permissions:
   contents: read
+  id-token: write # required for Doppler OIDC
 
 env:
   UV_EXCLUDE_NEWER: "7 days"
@@ -24,6 +25,15 @@ jobs:
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
+      - name: 🔐 Fetch Doppler secrets
+        uses: dopplerhq/secrets-fetch-action@cd2efbf9a404504316435873eff298b82f7e0562 # v1.3.0
+        id: secrets
+        with:
+          auth-method: oidc
+          doppler-identity-id: ${{ vars.DOPPLER_IDENTITY_ID }}
+          doppler-project: marimo-oss
+          doppler-config: ci_docs
+
       - name: 🐍 Setup uv
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
@@ -34,16 +44,18 @@ jobs:
         run: npm install --global vercel@latest
 
       - name: ⬇️ Pull Vercel Environment Information
-        run: vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}
         env:
-          VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
-          VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}
+          VERCEL_ORG_ID: ${{ steps.secrets.outputs.VERCEL_ORG_ID }}
+          VERCEL_PROJECT_ID: ${{ steps.secrets.outputs.VERCEL_PROJECT_ID }}
+          VERCEL_TOKEN: ${{ steps.secrets.outputs.VERCEL_TOKEN }}
+        run: vercel pull --yes --environment=production
 
       - name: 📚 Build docs
-        run: vercel build --prod --token=${{ secrets.VERCEL_TOKEN }}
         env:
-          VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
-          VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}
+          VERCEL_ORG_ID: ${{ steps.secrets.outputs.VERCEL_ORG_ID }}
+          VERCEL_PROJECT_ID: ${{ steps.secrets.outputs.VERCEL_PROJECT_ID }}
+          VERCEL_TOKEN: ${{ steps.secrets.outputs.VERCEL_TOKEN }}
+        run: vercel build --prod
 
       - name: 📝 Generate markdown versions of docs
         run: |
@@ -88,7 +100,8 @@ jobs:
 
       - name: 🚀 Deploy to Vercel
         if: github.ref == 'refs/heads/main' && steps.latest.outputs.is_latest == 'true'
-        run: vercel deploy --prebuilt --prod --token=${{ secrets.VERCEL_TOKEN }}
         env:
-          VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
-          VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}
+          VERCEL_ORG_ID: ${{ steps.secrets.outputs.VERCEL_ORG_ID }}
+          VERCEL_PROJECT_ID: ${{ steps.secrets.outputs.VERCEL_PROJECT_ID }}
+          VERCEL_TOKEN: ${{ steps.secrets.outputs.VERCEL_TOKEN }}
+        run: vercel deploy --prebuilt --prod

.github/workflows/marimo-bot.yml

@@ -86,10 +86,19 @@ jobs:
             console.log(`Comment created with ID: ${comment.data.id}`);
             return comment.data.id;
 
+      - name: 🔐 Fetch Doppler secrets
+        uses: dopplerhq/secrets-fetch-action@cd2efbf9a404504316435873eff298b82f7e0562 # v1.3.0
+        id: secrets
+        with:
+          auth-method: oidc
+          doppler-identity-id: ${{ vars.DOPPLER_IDENTITY_ID }}
+          doppler-project: marimo-oss
+          doppler-config: ci_test
+
       - name: 📦 Build frontend
         uses: ./.github/actions/build-frontend
         with:
-          turbo-token: ${{ secrets.TURBO_TOKEN }}
+          turbo-token: ${{ steps.secrets.outputs.TURBO_TOKEN }}
 
       - name: Install uv
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7

.github/workflows/playwright.yml

@@ -36,6 +36,9 @@ jobs:
     if: ${{ needs.changes.outputs.playwright == 'true' }}
     timeout-minutes: 18 # 2024-01-18 avg: 5.0m max: 7.0m
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # required for Doppler OIDC
     defaults:
       run:
         shell: bash
@@ -58,11 +61,23 @@ jobs:
         run: |
           sed -i 's/auto_instantiate = false/auto_instantiate = true/' pyproject.toml
 
+      - name: 🔐 Fetch Doppler secrets
+        # Skip on PRs from forks: id-token write is downgraded to read, so OIDC fails.
+        # Downstream tokens (TURBO_TOKEN, CODECOV_TOKEN) are optional and tolerate empty.
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        uses: dopplerhq/secrets-fetch-action@cd2efbf9a404504316435873eff298b82f7e0562 # v1.3.0
+        id: secrets
+        with:
+          auth-method: oidc
+          doppler-identity-id: ${{ vars.DOPPLER_IDENTITY_ID }}
+          doppler-project: marimo-oss
+          doppler-config: ci_test
+
       - name: 📦 Build frontend
         uses: ./.github/actions/build-frontend
         with:
-          turbo-token: ${{ secrets.TURBO_TOKEN }}
-          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          turbo-token: ${{ steps.secrets.outputs.TURBO_TOKEN }}
+          codecov-token: ${{ steps.secrets.outputs.CODECOV_TOKEN }}
 
       - name: 🐍 Setup uv
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7

.github/workflows/release-dev.yml

@@ -20,6 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      id-token: write # required for Doppler OIDC
     defaults:
       run:
         shell: bash
@@ -34,11 +35,20 @@ jobs:
           # get tag history for version number
           fetch-depth: 0
 
+      - name: 🔐 Fetch Doppler secrets
+        uses: dopplerhq/secrets-fetch-action@cd2efbf9a404504316435873eff298b82f7e0562 # v1.3.0
+        id: secrets
+        with:
+          auth-method: oidc
+          doppler-identity-id: ${{ vars.DOPPLER_IDENTITY_ID }}
+          doppler-project: marimo-oss
+          doppler-config: ci_deploy
+
       - name: 📦 Build frontend
         uses: ./.github/actions/build-frontend
         with:
-          turbo-token: ${{ secrets.TURBO_TOKEN }}
-          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          turbo-token: ${{ steps.secrets.outputs.TURBO_TOKEN }}
+          codecov-token: ${{ steps.secrets.outputs.CODECOV_TOKEN }}
 
       - name: Install uv
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7

.github/workflows/release-marimo-base.yml

@@ -33,11 +33,20 @@ jobs:
       - name: ⬇️ Checkout repo
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
+      - name: 🔐 Fetch Doppler secrets
+        uses: dopplerhq/secrets-fetch-action@cd2efbf9a404504316435873eff298b82f7e0562 # v1.3.0
+        id: secrets
+        with:
+          auth-method: oidc
+          doppler-identity-id: ${{ vars.DOPPLER_IDENTITY_ID }}
+          doppler-project: marimo-oss
+          doppler-config: ci_deploy
+
       - name: 📦 Build frontend
         uses: ./.github/actions/build-frontend
         with:
-          turbo-token: ${{ secrets.TURBO_TOKEN }}
-          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          turbo-token: ${{ steps.secrets.outputs.TURBO_TOKEN }}
+          codecov-token: ${{ steps.secrets.outputs.CODECOV_TOKEN }}
 
       - name: Install uv
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7

.github/workflows/release-prod.yml

@@ -20,6 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      id-token: write # required for Doppler OIDC
     defaults:
       run:
         shell: bash
@@ -31,11 +32,20 @@ jobs:
       - name: ⬇️ Checkout repo
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
+      - name: 🔐 Fetch Doppler secrets
+        uses: dopplerhq/secrets-fetch-action@cd2efbf9a404504316435873eff298b82f7e0562 # v1.3.0
+        id: secrets
+        with:
+          auth-method: oidc
+          doppler-identity-id: ${{ vars.DOPPLER_IDENTITY_ID }}
+          doppler-project: marimo-oss
+          doppler-config: ci_deploy
+
       - name: 📦 Build frontend
         uses: ./.github/actions/build-frontend
         with:
-          turbo-token: ${{ secrets.TURBO_TOKEN }}
-          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          turbo-token: ${{ steps.secrets.outputs.TURBO_TOKEN }}
+          codecov-token: ${{ steps.secrets.outputs.CODECOV_TOKEN }}
 
       - name: 🐍 Setup uv
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7

.github/workflows/release-tag.yml

@@ -15,6 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      id-token: write # required for Doppler OIDC
     steps:
       - name: Extract version from PR title
         id: version
@@ -28,14 +29,23 @@ jobs:
           fi
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
+      - name: 🔐 Fetch Doppler secrets
+        uses: dopplerhq/secrets-fetch-action@cd2efbf9a404504316435873eff298b82f7e0562 # v1.3.0
+        id: secrets
+        with:
+          auth-method: oidc
+          doppler-identity-id: ${{ vars.DOPPLER_IDENTITY_ID }}
+          doppler-project: marimo-oss
+          doppler-config: ci_deploy
+
       # Use a GitHub App token so the tag push triggers other workflows.
       # Tags pushed with the default GITHUB_TOKEN do not trigger workflows.
       - name: Generate app token
         id: app-token
         uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
         with:
           app-id: ${{ vars.RELEASE_APP_ID }}
-          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+          private-key: ${{ steps.secrets.outputs.RELEASE_APP_PRIVATE_KEY }}
 
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

.github/workflows/test_be.yaml

@@ -186,6 +186,9 @@ jobs:
     name: Test coverage
     runs-on: ubuntu-latest
     timeout-minutes: 35
+    permissions:
+      contents: read
+      id-token: write # required for Doppler OIDC
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
@@ -210,6 +213,16 @@ jobs:
             --inline-snapshot=disable \
             --cov=marimo --cov-report=xml --junitxml=junit.xml -o junit_family=legacy
 
+      - name: 🔐 Fetch Doppler secrets
+        if: ${{ !cancelled() }}
+        uses: dopplerhq/secrets-fetch-action@cd2efbf9a404504316435873eff298b82f7e0562 # v1.3.0
+        id: secrets
+        with:
+          auth-method: oidc
+          doppler-identity-id: ${{ vars.DOPPLER_IDENTITY_ID }}
+          doppler-project: marimo-oss
+          doppler-config: ci_test
+
       # Only upload coverage on `main` so it is not blocking
       # and only on `3.13`, `ubuntu-latest`, with optional deps since it will cover
       # the most surface area.
@@ -219,10 +232,10 @@ jobs:
         with:
           files: ./coverage.xml
         env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+          CODECOV_TOKEN: ${{ steps.secrets.outputs.CODECOV_TOKEN }}
 
       - name: Upload test results to Codecov
         if: ${{ !cancelled() }}
         uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1
         env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+          CODECOV_TOKEN: ${{ steps.secrets.outputs.CODECOV_TOKEN }}

.github/workflows/test_cli.yaml

@@ -13,7 +13,6 @@ permissions:
   contents: read
 
 env:
-  TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
   TURBO_TEAM: marimo
   MARIMO_SKIP_UPDATE_CHECK: 1
   UV_EXCLUDE_NEWER: "7 days"
@@ -38,6 +37,9 @@ jobs:
     name: Build marimo wheel
     runs-on: ubuntu-latest
     timeout-minutes: 8 # 2024-01-18
+    permissions:
+      contents: read
+      id-token: write # required for Doppler OIDC
     defaults:
       run:
         shell: bash
@@ -48,11 +50,23 @@ jobs:
         with:
           fetch-depth: 0 # so we can run --since on the main branch and turbo can do faster cache hashing
 
+      - name: 🔐 Fetch Doppler secrets
+        # Skip on PRs from forks: id-token write is downgraded to read, so OIDC fails.
+        # Downstream tokens (TURBO_TOKEN, CODECOV_TOKEN) are optional and tolerate empty.
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        uses: dopplerhq/secrets-fetch-action@cd2efbf9a404504316435873eff298b82f7e0562 # v1.3.0
+        id: secrets
+        with:
+          auth-method: oidc
+          doppler-identity-id: ${{ vars.DOPPLER_IDENTITY_ID }}
+          doppler-project: marimo-oss
+          doppler-config: ci_test
+
       - name: 📦 Build frontend
         uses: ./.github/actions/build-frontend
         with:
-          turbo-token: ${{ secrets.TURBO_TOKEN }}
-          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          turbo-token: ${{ steps.secrets.outputs.TURBO_TOKEN }}
+          codecov-token: ${{ steps.secrets.outputs.CODECOV_TOKEN }}
 
       - name: 🐍 Setup uv
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7