Migrate deployment auth to CI tokens
CI tokens are becoming the supported way to authenticate deployments from build pipelines. CI tokens are organization-scoped credentials made for CI/CD and use the ZE_CI_TOKEN environment variable.
This migration affects both older deployment-auth paths:
- Server tokens are going away.
- Personal tokens remain available, but personal-token deployment auth is going away.
Use this guide when an existing pipeline authenticates Zephyr with ZE_SERVER_TOKEN and ZE_USER_EMAIL, or with ZE_SECRET_TOKEN.
Before you start
- You need access to the organization settings in Zephyr Cloud.
- Keep the existing deployment secret available until one CI-token build succeeds.
- Update one repository or pipeline first, then repeat for the rest.
Create a CI token
- Open Zephyr Cloud.
- Go to Organization Settings.
- Open CI tokens.
- Generate a CI token.
- Copy the token value. It is only shown when the token is created.
Update GitHub Actions
Add the CI token as a repository or organization secret, then expose it as ZE_CI_TOKEN in the job that runs the Zephyr build.
Remove the old deployment-auth variables from that job:
Update GitLab CI/CD
Add the CI token as a masked CI/CD variable, then expose it as ZE_CI_TOKEN.
Remove ZE_SERVER_TOKEN, ZE_USER_EMAIL, and ZE_SECRET_TOKEN after the CI-token pipeline succeeds.
Verify the migration
Run the pipeline and confirm the Zephyr build authenticates without ZE_SERVER_TOKEN or ZE_SECRET_TOKEN.
If the build fails:
- Confirm the secret name in the CI provider matches
ZE_CI_TOKEN. - Confirm the CI token still exists in Zephyr Cloud.
- Generate a new CI token if the original token value was lost.
Clean up old deployment tokens
After every pipeline for the repository uses ZE_CI_TOKEN, revoke the old server token from Organization Settings > Server Tokens.
If a personal token was only used for deployments, revoke it from your profile settings. If the personal token is used for non-deployment workflows, keep it there and remove it only from CI/CD deployment jobs.