Add --repo flag for repo-scoped CI secrets and variables

[121watts]

Summary

• Add --repo owner/name flag to depot ci secrets and depot ci vars subcommands (add, list, remove).
• Switch from depot.ci.v1 to the deployed depot.ci.v2 org/repo RPCs for secret and variable management.
• When --repo is omitted, behavior is unchanged (org-wide).

What was happening

The CLI could only manage org-wide secrets and variables. Repo-specific overrides had to be managed through the web UI.

What happens now

depot ci secrets add DB_URL --repo owner/repo --value "..." creates a repo-scoped secret that overrides the org-wide value at runtime. depot ci secrets list --repo owner/repo shows both org-wide and repo-specific entries with a scope column. Same pattern for variables.

Companion PRs:

• API: depot/api#3119 (merged)
• App: depot/app#2378

Made with Cursor

---

Note

Medium Risk
Switches secret/variable management from depot.ci.v1 to new v2 org/repo RPCs and changes CLI behavior based on --repo, which could impact existing workflows if request routing or formatting differs.

Overview
Enables repo-scoped CI secrets and variables by adding a --repo owner/repo flag to depot ci secrets and depot ci vars subcommands (add/list/remove), including updated help text, prompts, and table output showing a new scope column when listing with --repo.

Updates the CLI API layer to use depot.ci.v2 Connect clients for secrets/variables, adding org-vs-repo routing in CIAddSecretWithDescription, CIListSecrets, CIDeleteSecret, CIAddVariable, CIListVariables, and CIDeleteVariable, and extending returned metadata with a Scope field. Generated ci/v2 protobuf and Connect client code is added to support the new RPCs.

^{Written by Cursor Bugbot for commit ce543a0. This will update automatically on new commits. Configure here.}

[linear]

DEP-3330 Allow secret/variable to apply to specific repo or all

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Stale v1 client constructors are now unused dead code
  • Removed the unused v1 client constructors newCISecretServiceClient and newCIVariableServiceClient as all API functions now use v2 clients.

Or push these changes by commenting:

@cursor push a9b7073dcb

Preview (a9b7073dcb)

diff --git a/pkg/api/ci.go b/pkg/api/ci.go
--- a/pkg/api/ci.go
+++ b/pkg/api/ci.go
@@ -103,11 +103,6 @@
 	return allRuns, nil
 }
 
-func newCISecretServiceClient() civ1connect.SecretServiceClient {
-	baseURL := baseURLFunc()
-	return civ1connect.NewSecretServiceClient(getHTTPClient(baseURL), baseURL, WithUserAgent())
-}
-
 func newCISecretServiceV2Client() civ2connect.SecretServiceClient {
 	baseURL := baseURLFunc()
 	return civ2connect.NewSecretServiceClient(getHTTPClient(baseURL), baseURL, WithUserAgent())
@@ -195,11 +190,6 @@
 	return err
 }
 
-func newCIVariableServiceClient() civ1connect.VariableServiceClient {
-	baseURL := baseURLFunc()
-	return civ1connect.NewVariableServiceClient(getHTTPClient(baseURL), baseURL, WithUserAgent())
-}
-
 func newCIVariableServiceV2Client() civ2connect.VariableServiceClient {
 	baseURL := baseURLFunc()
 	return civ2connect.NewVariableServiceClient(getHTTPClient(baseURL), baseURL, WithUserAgent())