RWX has been a long time customer of Depot. It's the fastest way to build Docker images, and we use it for all of our applications.
We've built Mint to be the fastest CI platform, so we knew we needed to make Depot available. And now it is!
We're excited to announce that Mint is now available as a Trusted Relationship in Depot. This means that you can authenticate into Depot from Mint using OIDC, which generates short-lived tokens unique to each Mint run.
Mint with Depot is the fastest way to build Docker images on CI
Persistent Infrastructure for CI
CI platforms generally use ephemeral infrastructure. This has significant advantages in ensuring that there isn't ever any state left over from previous executions that could affect later executions. However, it also comes at a significant cost. Using a fresh VM for every CI run means that some operations, like building Docker images, are going to be slower than necessary.
The solution to this problem is to use a remote Docker builder that has a persistent cache, rather than building directly on CI. Depot offers the best infrastructure to do that.
How to use Depot from Mint
You may want to read through the full Mint OIDC documentation, but we'll give you an idea of how it works here.
To use Depot with Mint, you'll need to:
- Configure Depot in your Mint Vault
- Configure Mint as a Trusted Relationship in Depot
- Install the Depot CLI in a Mint task
- Set the
DEPOT_TOKENenvironment variable to the vault OIDC token when you calldepot build
Configure Depot in Mint
Mint Vaults control which Mint runs can access which sensitive values.
If you're building container images on feature branches, you can configure Depot in the default vault.
If you're building on a protected branch like main, then you may want to set up Depot in a locked vault.
See the docs on vaults for more details on how to configure your vaults.
Conventionally, choose depot for your token name. Set the audience to https://depot.dev
Configure Mint in Depot
Under your settings in Depot, look for "Trust Relationships."
Click on "Add Trust Relationship," and then choose "Mint" for the provider.
You'll be prompted to enter an "OIDC Subject."
Copy and paste the subject that is displayed in the Mint Vault UI.
It'll be displayed in the format mint:your-org-uuid:your-vault-name.
See the Depot docs on trust relationships for more details.
Install the Depot CLI in a Mint task
You can use the depot/install-cli leaf to easily install the CLI.
1 2 3tasks: - key: depot-cli call: depot/install-cli 1.0.0
And you can now define a task which uses the depot-cli and authenticates via OIDC!
1 2 3 4 5 6 7 8 9 10 11 12tasks: - key: depot-cli call: depot/install-cli 1.0.0 - key: build-image use: [depot-cli] run: depot build --project "$DEPOT_PROJECT" . env: DEPOT_PROJECT: your-depot-project-key DEPOT_TOKEN: value: ${{ vaults.your-vault.oidc.your-token-name-usually-depot }} cache-key: excluded
Support
That's it! If you have any questions, feel free to reach out to either RWX support or Depot support.
Related posts
Read more on updates and advice from the RWX engineering team
You Shouldn't Have To Change Your Cron Schedules Every Six Months
RWX supports more flexibility with cron schedules, such as specifying time zones, than what is available on Github Actions.
