moonrepo

moonrepo is a repository management, organization, orchestration, and notification tool for the web ecosystem, written in Rust. Many of the concepts within moon are heavily inspired from Bazel and other popular build systems.

Depot Cache provides a remote cache service that can be used with moonrepo, allowing you to incrementally cache and reuse parts of your builds. This cache is accessible from anywhere, both on your local machine and on CI/CD systems.

Configuring moonrepo to use Depot Cache

Depot Cache can be used with moonrepo from Depot's managed GitHub Actions runners, from your local machine, from any CI/CD system, or within containerized builds using Dockerfiles or Bake files.

From Depot-managed Actions runners

Depot GitHub Actions runners are pre-configured to use Depot Cache with moonrepo - each runner is launched with the necessary environment variables for accessing Depot Cache.

If you don't want Depot to override the moonrepo workspace configuration on each runner, disable Allow Actions jobs to automatically connect to Depot Cache in your organization settings page. You can manually configure moonrepo to use Depot Cache as described in the "Using Depot Cache from your local machine or any CI/CD system" section.

Using Depot Cache with moonrepo in depot/build-push-action

When using depot/build-push-action to build Docker images that contain moonrepo workspaces, your build needs access to moonrepo's remote cache credentials to benefit from caching.

These credentials are not automatically available inside your Docker build environment. Unlike builds running directly on Depot-managed GitHub Actions runners (which have automatic access to Depot Cache environment variables), containerized builds execute in isolated VMs that require explicit configuration.

Follow these steps to securely pass your moonrepo credentials into your Docker build:

1. Store the Depot token in a GitHub Secret named DEPOT_TOKEN.

2. Configure moonrepo to read the Depot token from an environment variable in .moon/workspace.yml:

unstable_remote:
  host: 'grpcs://cache.depot.dev'
  auth:
    token: 'DEPOT_TOKEN'

3. Configure your GitHub Action to pass secrets to the container build:

- name: Build and push
  uses: depot/build-push-action@v1
  with:
    context: .
    file: ./Dockerfile
    push: true
    tags: your-image:tag
    secrets: |
      "DEPOT_TOKEN=${{ secrets.DEPOT_TOKEN }}"

4. Update your Dockerfile to copy the workspace configuration and run the build with mounted secret:

# syntax=docker/dockerfile:1

# ... other Dockerfile instructions

# Copy moonrepo workspace configuration
COPY .moon/workspace.yml .moon/workspace.yml

# Mount secret as environment variable and run build
RUN --mount=type=secret,id=DEPOT_TOKEN,env=DEPOT_TOKEN \
    moon run build

Adding # syntax=docker/dockerfile:1 as the first line of your Dockerfile enables mounting secrets as environment variables.

Using Depot Cache from your local machine or any CI/CD system

To manually configure moon to use Depot Cache, you will need to set a DEPOT_TOKEN environment variable with an organization or user token and add the following to your .moon/workspace.yml file:

unstable_remote:
  host: 'grpcs://cache.depot.dev'
  auth:
    token: 'DEPOT_TOKEN'

If you are using a user token and are a member of more than one organization, you will additionally need to set an X-Depot-Org header to your Depot organization ID in .moon/workspace.yml:

unstable_remote:
  host: 'grpcs://cache.depot.dev'
  auth:
    token: 'DEPOT_TOKEN'
    headers:
      'X-Depot-Org': '<your-org-id>'

See moonrepo's remote cache documentation for more details.

After moonrepo is configured to use Depot Cache, you can then run your builds as you normally would. moonrepo will automatically communicate with Depot Cache to fetch and reuse any stored build artifacts from your previous builds.

Using Depot Cache with moonrepo in Depot CLI

When building directly with Depot CLI, follow these steps:

1. Configure moonrepo to read the Depot token from an environment variable in .moon/workspace.yml:

unstable_remote:
  host: 'grpcs://cache.depot.dev'
  auth:
    token: 'DEPOT_TOKEN'

2. Update your Dockerfile to copy the workspace configuration and mount the secret:

# syntax=docker/dockerfile:1

# ... other Dockerfile instructions

# Copy moonrepo workspace configuration
COPY .moon/workspace.yml .moon/workspace.yml

# Mount secret as environment variable and run build
RUN --mount=type=secret,id=DEPOT_TOKEN,env=DEPOT_TOKEN \
    moon run build

Adding # syntax=docker/dockerfile:1 as the first line of your Dockerfile enables mounting secrets as environment variables.

3. Build with Depot CLI:

depot build --secret id=DEPOT_TOKEN,env=DEPOT_TOKEN -t your-image:tag .

Or with Docker Buildx:

docker buildx build --secret id=DEPOT_TOKEN,env=DEPOT_TOKEN -t your-image:tag .

Using Depot Cache with moonrepo in Bake files

When using Bake files to build Docker images containing moonrepo workspaces, you can pass secrets through the target.secret attribute:

1. Configure moonrepo to read the Depot token from an environment variable in .moon/workspace.yml:

unstable_remote:
  host: 'grpcs://cache.depot.dev'
  auth:
    token: 'DEPOT_TOKEN'

2. Define the secret in your docker-bake.hcl file:

target "default" {
  context    = "."
  dockerfile = "Dockerfile"
  tags       = ["your-image:tag"]
  secret = [
    {
      type = "env"
      id   = "DEPOT_TOKEN"
    }
  ]
}

3. Update your Dockerfile to copy the workspace configuration and run the build with mounted secret:

# syntax=docker/dockerfile:1

# ... other Dockerfile instructions

# Copy moonrepo workspace configuration
COPY .moon/workspace.yml .moon/workspace.yml

# Mount secret as environment variable and run build
RUN --mount=type=secret,id=DEPOT_TOKEN,env=DEPOT_TOKEN \
    moon run build

Adding # syntax=docker/dockerfile:1 as the first line of your Dockerfile enables mounting secrets as environment variables.

4. Run the build with depot bake:

DEPOT_TOKEN=your_token depot bake