Depot adds support for Mint, making the fastest Docker builder available on the fastest CI
Depot adds support for Mint, making the fastest Docker builder available on the fastest CI
by Dan Manges

Depot adds support for Mint, making the fastest Docker builder available on the fastest CI

RWX has been a long time customer of Depot. It's the fastest way to build Docker images, and we use it for all of our applications.

We've built Mint to be the fastest CI platform, so we knew we needed to make Depot available. And now it is!

We're excited to announce that Mint is now available as a Trusted Relationship in Depot. This means that you can authenticate into Depot from Mint using OIDC, which generates short-lived tokens unique to each Mint run.

Mint with Depot is the fastest way to build Docker images on CI

Persistent Infrastructure for CI

CI platforms generally use ephemeral infrastructure. This has significant advantages in ensuring that there isn't ever any state left over from previous executions that could affect later executions. However, it also comes at a significant cost. Using a fresh VM for every CI run means that some operations, like building Docker images, are going to be slower than necessary.

The solution to this problem is to use a remote Docker builder that has a persistent cache, rather than building directly on CI. Depot offers the best infrastructure to do that.

How to use Depot from Mint

You may want to read through the full Mint OIDC documentation, but we'll give you an idea of how it works here.

To use Depot with Mint, you'll need to:

  • Configure Depot in your Mint Vault
  • Configure Mint as a Trusted Relationship in Depot
  • Install the Depot CLI in a Mint task
  • Set the DEPOT_TOKEN environment variable to the vault OIDC token when you call depot build

Configure Depot in Mint

Mint Vaults control which Mint runs can access which sensitive values. If you're building container images on feature branches, you can configure Depot in the default vault. If you're building on a protected branch like main, then you may want to set up Depot in a locked vault.

See the docs on vaults for more details on how to configure your vaults.

Conventionally, choose depot for your token name. Set the audience to https://depot.dev

Configure Mint in Depot

Under your settings in Depot, look for "Trust Relationships." Click on "Add Trust Relationship," and then choose "Mint" for the provider. You'll be prompted to enter an "OIDC Subject." Copy and paste the subject that is displayed in the Mint Vault UI. It'll be displayed in the format mint:your-org-uuid:your-vault-name.

See the Depot docs on trust relationships for more details.

Install the Depot CLI in a Mint task

You can use the depot/install-cli leaf to easily install the CLI.

1
2
3
tasks:
  - key: depot-cli
    call: depot/install-cli 1.0.0

And you can now define a task which uses the depot-cli and authenticates via OIDC!

1
2
3
4
5
6
7
8
9
10
11
12
tasks:
  - key: depot-cli
    call: depot/install-cli 1.0.0

  - key: build-image
    use: [depot-cli]
    run: depot build --project "$DEPOT_PROJECT" .
    env:
      DEPOT_PROJECT: your-depot-project-key
      DEPOT_TOKEN:
        value: ${{ vaults.your-vault.oidc.your-token-name-usually-depot }}
        cache-key: excluded

Support

That's it! If you have any questions, feel free to reach out to either RWX support or Depot support.

Enjoyed this post? Share it!