feat: run integration tests against Docker containers

.github/workflows/test.yml

@@ -6,17 +6,6 @@ on:
       ref:
         required: true
         type: string
-    secrets:
-      BASE_URL:
-        required: false
-      AUTH_TOKEN:
-        required: false
-      JWT_KEY:
-        required: false
-      CLIENT_ID:
-        required: false
-      CLIENT_SECRET:
-        required: false
 
 defaults:
   run:
@@ -53,12 +42,6 @@ jobs:
 
       - name: Run Tests
         run: poetry run pytest --junitxml=build/reports/junit.xml
-        env:
-          BASE_URL: ${{ secrets.BASE_URL }}
-          AUTH_TOKEN: ${{ secrets.AUTH_TOKEN }}
-          JWT_KEY: ${{ secrets.JWT_KEY }}
-          CLIENT_ID: ${{ secrets.CLIENT_ID }}
-          CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
 
       - name: Upload Results
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

etc/docker-compose.yaml

@@ -0,0 +1,89 @@
+services:
+  db:
+    image: postgres:17-alpine
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: root
+      POSTGRES_PASSWORD: postgres
+    networks:
+      - storage
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready", "-d", "db_prod" ]
+      interval: 10s
+      timeout: 60s
+      retries: 5
+      start_period: 10s
+    volumes:
+      - data:/var/lib/postgresql/data:rw
+
+  zitadel-init:
+    restart: 'no'
+    networks:
+      - storage
+    image: 'ghcr.io/zitadel/zitadel:latest'
+    command: 'init --config /example-zitadel-config.yaml --config /example-zitadel-secrets.yaml'
+    depends_on:
+      db:
+        condition: 'service_healthy'
+    volumes:
+      - './example-zitadel-config.yaml:/example-zitadel-config.yaml:ro'
+      - './example-zitadel-secrets.yaml:/example-zitadel-secrets.yaml:ro'
+      - './zitadel_output:/var/zitadel_output:rw'
+
+  zitadel-setup:
+    restart: 'no'
+    networks:
+      - storage
+    image: 'ghcr.io/zitadel/zitadel:latest-debug'
+    user: root
+    entrypoint: '/bin/bash'
+    command: [ "-c", "/app/zitadel setup --config /example-zitadel-config.yaml --config /example-zitadel-secrets.yaml --steps /example-zitadel-init-steps.yaml --masterkey \"my_test_masterkey_0123456789ABEF\" && echo \"--- ZITADEL SETUP COMPLETE ---\" && echo \"Personal Access Token (PAT) will be in ./zitadel_output/pat.txt on your host.\" && echo \"Service Account Key will be in ./zitadel_output/sa-key.json on your host.\" && echo \"OAuth Client ID and Secret will be in 'zitadel' service logs (grep for 'Application created').\"" ]
+    environment:
+      - PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/app
+    depends_on:
+      zitadel-init:
+        condition: 'service_completed_successfully'
+        restart: false
+    volumes:
+      - './zitadel_output:/var/zitadel_output:rw'
+      - './example-zitadel-config.yaml:/example-zitadel-config.yaml:ro'
+      - './example-zitadel-secrets.yaml:/example-zitadel-secrets.yaml:ro'
+      - './example-zitadel-init-steps.yaml:/example-zitadel-init-steps.yaml:ro'
+
+  zitadel:
+    restart: 'unless-stopped'
+    networks:
+      - backend
+      - storage
+    image: 'ghcr.io/zitadel/zitadel:latest'
+    command: >
+      start --config /example-zitadel-config.yaml
+      --config /example-zitadel-secrets.yaml
+      --masterkey my_test_masterkey_0123456789ABEF
+    depends_on:
+      zitadel-setup:
+        condition: 'service_completed_successfully'
+        restart: true
+    volumes:
+      - './example-zitadel-config.yaml:/example-zitadel-config.yaml:ro'
+      - './example-zitadel-secrets.yaml:/example-zitadel-secrets.yaml:ro'
+      - './zitadel_output:/var/zitadel_output:rw'
+    ports:
+      - "8099:8080"
+    healthcheck:
+      test: [
+        "CMD", "/app/zitadel", "ready",
+        "--config", "/example-zitadel-config.yaml",
+        "--config", "/example-zitadel-secrets.yaml"
+      ]
+      interval: 10s
+      timeout: 60s
+      retries: 5
+      start_period: 10s
+
+networks:
+  storage: { }
+  backend: { }
+
+volumes:
+  data: { }

etc/example-zitadel-config.yaml

@@ -0,0 +1,17 @@
+ExternalSecure: false
+ExternalDomain: localhost
+ExternalPort: 8080
+TLS.Enabled: false
+Database:
+  postgres:
+    Host: 'db'
+    Port: 5432
+    Database: zitadel
+    User.SSL.Mode: 'disable'
+    Admin.SSL.Mode: 'disable'
+OIDC:
+  DefaultLoginURLV2: "/ui/v2/login/login?authRequest="
+  DefaultLogoutURLV2: "/ui/v2/login/logout?post_logout_redirect="
+SAML.DefaultLoginURLV2: "/ui/v2/login/login?authRequest="
+LogStore.Access.Stdout.Enabled: true
+DefaultInstance.LoginPolicy.MfaInitSkipLifetime: "0s"

etc/example-zitadel-init-steps.yaml

@@ -0,0 +1,35 @@
+FirstInstance:
+  MachineKeyPath: '/var/zitadel_output/sa-key.json'
+  PatPath: '/var/zitadel_output/pat.txt'
+  Org:
+    Human:
+      PasswordChangeRequired: false
+      Username: zitadel-admin@zitadel.localhost
+      Password: Password1!
+    Machine:
+      Machine:
+        Username: api-user
+        Name: Combined API User
+      MachineKey:
+        ExpirationDate: '2030-01-01T00:00:00Z'
+        Type: 1
+      Pat:
+        ExpirationDate: '2030-01-01T00:00:00Z'
+  Applications:
+    - OIDC:
+        RedirectUris:
+          - http://localhost:8080/callback
+          - http://127.0.0.1:8080/callback
+        ResponseTypes:
+          - CODE
+          - ID_TOKEN
+          - TOKEN
+        GrantTypes:
+          - AUTHORIZATION_CODE
+          - IMPLICIT
+          - REFRESH_TOKEN
+          - CLIENT_CREDENTIALS
+        AuthMethodType: POST
+      Name: 'MyOAuthAPIClient'
+      Type: 'WEB'
+DefaultInstance.LoginPolicy.MfaInitSkipLifetime: "0s"

etc/example-zitadel-secrets.yaml

@@ -0,0 +1,8 @@
+Database:
+  postgres:
+    User:
+      Username: 'zitadel_user'
+      Password: 'zitadel'
+    Admin:
+      Username: 'root'
+      Password: 'postgres'

spec/auth/using_access_token_spec.py

@@ -1,29 +1,12 @@
-import os
+from typing import Dict
 
 import pytest
 
 import zitadel_client as zitadel
+from spec.base_spec import docker_compose as docker_compose
 from zitadel_client.exceptions import ZitadelError
 
 
-@pytest.fixture(scope="module")
-def base_url() -> str:
-    """Provides the base URL for tests, skipping if unset."""
-    url = os.getenv("BASE_URL")
-    if not url:
-        pytest.skip("Environment variable BASE_URL must be set", allow_module_level=True)
-    return url
-
-
-@pytest.fixture(scope="module")
-def auth_token() -> str:
-    """Provides the auth token for tests, skipping if unset."""
-    url = os.getenv("AUTH_TOKEN")
-    if not url:
-        pytest.skip("Environment variable AUTH_TOKEN must be set", allow_module_level=True)
-    return url
-
-
 class TestUseAccessTokenSpec:
     """
     SettingsService Integration Tests (Personal Access Token)
@@ -37,25 +20,18 @@ class TestUseAccessTokenSpec:
     Each test instantiates a new client to ensure a clean, stateless call.
     """
 
-    def test_retrieves_general_settings_with_valid_token(
-        self,
-        base_url: str,
-        auth_token: str,
-    ) -> None:
+    def test_retrieves_general_settings_with_valid_token(self, docker_compose: Dict[str, str]) -> None:  # noqa F811
         """Retrieves general settings successfully with a valid access token."""
         client = zitadel.Zitadel.with_access_token(
-            base_url,
-            auth_token,
+            docker_compose["base_url"],
+            docker_compose["auth_token"],
         )
         client.settings.settings_service_get_general_settings()
 
-    def test_raises_api_exception_with_invalid_token(
-        self,
-        base_url: str,
-    ) -> None:
+    def test_raises_api_exception_with_invalid_token(self, docker_compose: Dict[str, str]) -> None:  # noqa F811
         """Raises ApiException when using an invalid access token."""
         client = zitadel.Zitadel.with_access_token(
-            base_url,
+            docker_compose["base_url"],
             "invalid",
         )
         with pytest.raises(ZitadelError):