Migrate deployment auth to CI tokens

CI tokens are becoming the supported way to authenticate deployments from build pipelines. CI tokens are organization-scoped credentials made for CI/CD and use the ZE_CI_TOKEN environment variable.

This migration affects both older deployment-auth paths:

  • Server tokens are going away.
  • Personal tokens remain available, but personal-token deployment auth is going away.

Use this guide when an existing pipeline authenticates Zephyr with ZE_SERVER_TOKEN and ZE_USER_EMAIL, or with ZE_SECRET_TOKEN.

Before you start

  • You need access to the organization settings in Zephyr Cloud.
  • Keep the existing deployment secret available until one CI-token build succeeds.
  • Update one repository or pipeline first, then repeat for the rest.

Create a CI token

  1. Open Zephyr Cloud.
  2. Go to Organization Settings.
  3. Open CI tokens.
  4. Generate a CI token.
  5. Copy the token value. It is only shown when the token is created.

Update GitHub Actions

Add the CI token as a repository or organization secret, then expose it as ZE_CI_TOKEN in the job that runs the Zephyr build.

.github/workflows/build.yml
env:
  ZE_CI_TOKEN: ${{ secrets.ZEPHYR_CI_TOKEN }}

Remove the old deployment-auth variables from that job:

# Remove these after ZE_CI_TOKEN is working.
ZE_SERVER_TOKEN: ${{ secrets.ZEPHYR_SERVER_TOKEN }}
ZE_USER_EMAIL: user@example.com
ZE_SECRET_TOKEN: ${{ secrets.ZEPHYR_PERSONAL_TOKEN }}

Update GitLab CI/CD

Add the CI token as a masked CI/CD variable, then expose it as ZE_CI_TOKEN.

.gitlab-ci.yml
build:
  stage: build
  script:
    - pnpm install --frozen-lockfile
    - pnpm build
  variables:
    ZE_CI_TOKEN: $ZE_CI_TOKEN

Remove ZE_SERVER_TOKEN, ZE_USER_EMAIL, and ZE_SECRET_TOKEN after the CI-token pipeline succeeds.

Verify the migration

Run the pipeline and confirm the Zephyr build authenticates without ZE_SERVER_TOKEN or ZE_SECRET_TOKEN.

If the build fails:

  • Confirm the secret name in the CI provider matches ZE_CI_TOKEN.
  • Confirm the CI token still exists in Zephyr Cloud.
  • Generate a new CI token if the original token value was lost.

Clean up old deployment tokens

After every pipeline for the repository uses ZE_CI_TOKEN, revoke the old server token from Organization Settings > Server Tokens.

If a personal token was only used for deployments, revoke it from your profile settings. If the personal token is used for non-deployment workflows, keep it there and remove it only from CI/CD deployment jobs.