fix: use oidc trust for depot in base image workflow

[wyattwalter]

Description

Tip

Add a TL;DR when the description is longer than 500 words or extremely technical (helps the content, marketing, and DevRel team).

Please also include relevant motivation and context. List any dependencies that are required for this change. Add links to Notion, Figma or any other documents that might be relevant to the PR.

Fixes broken base image update job due to token changes.

Fixes #Issue Number
or
Fixes Issue URL

Warning

If no issue exists, please create an issue first, and check with the maintainers if the issue is valid.

Automation

/ok-to-test tags=""

🔍 Cypress test results

Warning

Tests have not run on the HEAD eccd00a yet

---

Mon, 05 Jan 2026 14:45:24 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• Chores
  • Updated Docker base image build workflow with streamlined configuration and refined security permissions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

GitHub Actions workflow configuration simplified by removing QEMU and Docker Buildx setup steps, eliminating DEPOT_TOKEN environment variable injection, and adding explicit job permissions for contents and id-token access.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Permissions & Setup .github/workflows/docker-base-image.yml	Added permissions block with contents: read and id-token: write. Removed QEMU and Docker Buildx setup steps before tag computation. Removed DEPOT_TOKEN environment variable from build-push step. Retained tag computation, depot setup, and build-push action steps.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐳 Permissions declared with pride,
Setup steps swept aside,
Docker builds simpler, lean,
The cleanest workflow we've seen! ✨

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: migrating to OIDC trust for depot authentication in the base image workflow.
Description check	✅ Passed	The description provides context about fixing a broken job due to token changes but lacks specific issue reference and detailed motivation despite following the template structure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8f25927 and eccd00a.

📒 Files selected for processing (1)

• .github/workflows/docker-base-image.yml

🔇 Additional comments (2)

.github/workflows/docker-base-image.yml (2)

17-19: LGTM - Correct OIDC permissions.

The permissions block properly enables OIDC authentication with id-token: write, allowing GitHub Actions to generate OIDC tokens for Depot.

---

44-59: The Depot OIDC configuration is correct.

The workflow has the required id-token: write permission (line 19) and both depot/setup-action@v1 and depot/build-push-action@v1 support OIDC authentication without a static token. This matches the pattern already used in other workflows in the repository (e.g., test-build-docker-image.yml, ad-hoc-docker-image.yml). Depot handles multi-platform builds natively, so the platforms: linux/arm64,linux/amd64 specification will work without additional setup.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wyattwalter]

Removed these just because they're not used anymore.