metal-stack · Gerrit91 · Sep 15, 2025 · Sep 15, 2025 · Sep 15, 2025 · Sep 15, 2025
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -21,18 +21,18 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
           cache: false
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@v8
         with:
-          args: --build-tags integration -D protogetter --timeout=5m
+          args: --build-tags integration --timeout=5m
 
       - name: Test
         run: |
@@ -58,10 +58,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
 
@@ -117,7 +117,7 @@ jobs:
           cp bin/* metal/${TARGET_BINARY_LOCATION}/
 
       - name: Upload Release Asset
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           files: |

diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml
@@ -10,6 +10,6 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: release-drafter/release-drafter@v5
+    - uses: release-drafter/release-drafter@v6
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/cmd/admin/v1/token.go b/cmd/admin/v1/token.go
@@ -58,7 +58,7 @@ func (c *token) List() ([]*apiv2.Token, error) {
 	req := &adminv2.TokenServiceListRequest{}
 
 	if viper.IsSet("user") {
-		req.UserId = pointer.Pointer(viper.GetString("user"))
+		req.User = pointer.Pointer(viper.GetString("user"))
 	}
 
 	resp, err := c.c.Client.Adminv2().Token().List(ctx, connect.NewRequest(req))
@@ -82,8 +82,8 @@ func (c *token) Delete(id string) (*apiv2.Token, error) {
 	}
 
 	req := &adminv2.TokenServiceRevokeRequest{
-		Uuid:   id,
-		UserId: viper.GetString("user"),
+		Uuid: id,
+		User: viper.GetString("user"),
 	}
 
 	_, err := c.c.Client.Adminv2().Token().Revoke(ctx, connect.NewRequest(req))

diff --git a/cmd/api/v1/project.go b/cmd/api/v1/project.go
@@ -402,8 +402,8 @@ func (c *project) removeMember(args []string) error {
 	defer cancel()
 
 	_, err = c.c.Client.Apiv2().Project().RemoveMember(ctx, connect.NewRequest(&apiv2.ProjectServiceRemoveMemberRequest{
-		Project:  c.c.GetProject(),
-		MemberId: member,
+		Project: c.c.GetProject(),
+		Member:  member,
 	}))
 	if err != nil {
 		return fmt.Errorf("failed to remove member from project: %w", err)
@@ -424,9 +424,9 @@ func (c *project) updateMember(args []string) error {
 	defer cancel()
 
 	resp, err := c.c.Client.Apiv2().Project().UpdateMember(ctx, connect.NewRequest(&apiv2.ProjectServiceUpdateMemberRequest{
-		Project:  c.c.GetProject(),
-		MemberId: member,
-		Role:     apiv2.ProjectRole(apiv2.ProjectRole_value[viper.GetString("role")]),
+		Project: c.c.GetProject(),
+		Member:  member,
+		Role:    apiv2.ProjectRole(apiv2.ProjectRole_value[viper.GetString("role")]),
 	}))
 	if err != nil {
 		return fmt.Errorf("failed to update member: %w", err)

diff --git a/cmd/api/v1/tenant.go b/cmd/api/v1/tenant.go
@@ -257,8 +257,7 @@ func (c *tenant) createRequestFromCLI() (*apiv2.TenantServiceCreateRequest, erro
 		Name:        viper.GetString("name"),
 		Description: pointer.PointerOrNil(viper.GetString("description")),
 		Email:       pointer.PointerOrNil(viper.GetString("email")),
-		AvatarUrl:   pointer.PointerOrNil(viper.GetString("phone")),
-		PhoneNumber: pointer.PointerOrNil(viper.GetString("avatar-url")),
+		AvatarUrl:   pointer.PointerOrNil(viper.GetString("avatar-url")),
 	}, nil
 }
 
@@ -398,8 +397,8 @@ func (c *tenant) removeMember(args []string) error {
 	defer cancel()
 
 	_, err = c.c.Client.Apiv2().Tenant().RemoveMember(ctx, connect.NewRequest(&apiv2.TenantServiceRemoveMemberRequest{
-		Login:    tenant,
-		MemberId: member,
+		Login:  tenant,
+		Member: member,
 	}))
 	if err != nil {
 		return fmt.Errorf("failed to remove member from tenant: %w", err)
@@ -425,9 +424,9 @@ func (c *tenant) updateMember(args []string) error {
 	defer cancel()
 
 	resp, err := c.c.Client.Apiv2().Tenant().UpdateMember(ctx, connect.NewRequest(&apiv2.TenantServiceUpdateMemberRequest{
-		Login:    tenant,
-		MemberId: member,
-		Role:     apiv2.TenantRole(apiv2.TenantRole_value[viper.GetString("role")]),
+		Login:  tenant,
+		Member: member,
+		Role:   apiv2.TenantRole(apiv2.TenantRole_value[viper.GetString("role")]),
 	}))
 	if err != nil {
 		return fmt.Errorf("failed to update member: %w", err)

diff --git a/cmd/config/config.go b/cmd/config/config.go
@@ -51,22 +51,6 @@ func (c *Config) NewRequestContext() (context.Context, context.CancelFunc) {
 	return context.WithTimeout(context.Background(), *timeout)
 }
 
-func HelpTemplate() string {
-	return `Here is how an template configuration looks like:
-~/.metal-stack/config.yaml
----
-current: dev
-previous: prod
-contexts:
-    - name: dev
-    api-token: <dev-token>
-    default-project: dev-project
-    - name: prod
-    api-token: <prod-token>
-        default-project: prod-project
-`
-}
-
 func DefaultConfigDirectory() (string, error) {
 	h, err := os.UserHomeDir()
 	if err != nil {
@@ -136,3 +120,10 @@ func (c *Config) GetApiURL() string {
 	// fallback to the default specified by viper
 	return viper.GetString("api-url")
 }
+
+func (c *Config) GetProvider() string {
+	if viper.IsSet("provider") {
+		return viper.GetString("provider")
+	}
+	return c.Context.Provider
+}
diff --git a/cmd/config/context.go b/cmd/config/context.go
@@ -29,12 +29,11 @@ type Context struct {
 	Token          string         `json:"api-token"`
 	DefaultProject string         `json:"default-project"`
 	Timeout        *time.Duration `json:"timeout,omitempty"`
+	Provider       string         `json:"provider"`
 }
 
 func (cs *Contexts) Get(name string) (*Context, bool) {
 	for _, context := range cs.Contexts {
-		context := context
-
 		if context.Name == name {
 			return context, true
 		}
@@ -44,22 +43,12 @@ func (cs *Contexts) Get(name string) (*Context, bool) {
 }
 
 func (cs *Contexts) List() []*Context {
-	var res []*Context
-
-	for _, context := range cs.Contexts {
-		context := context
-
-		res = append(res, context)
-	}
-
-	return res
+	return append([]*Context{}, cs.Contexts...)
 }
 
 func (cs *Contexts) Validate() error {
 	names := map[string]bool{}
 	for _, context := range cs.Contexts {
-		context := context
-
 		names[context.Name] = true
 	}
 
@@ -132,10 +121,12 @@ func (c *Config) MustDefaultContext() Context {
 	if err != nil {
 		return defaultCtx()
 	}
+
 	ctx, ok := ctxs.Get(ctxs.CurrentContext)
 	if !ok {
 		return defaultCtx()
 	}
+
 	return *ctx
 }
 
@@ -153,7 +144,6 @@ func (c *Config) ContextListCompletion(cmd *cobra.Command, args []string, toComp
 	}
 	var names []string
 	for _, ctx := range ctxs.Contexts {
-		ctx := ctx
 		names = append(names, ctx.Name)
 	}
 	return names, cobra.ShellCompDirectiveNoFileComp

diff --git a/cmd/context.go b/cmd/context.go
@@ -26,7 +26,6 @@ func newContextCmd(c *config.Config) *cobra.Command {
 		Aliases: []string{"ctx"},
 		Short:   "manage cli contexts",
 		Long:    "you can switch back and forth contexts with \"-\"",
-		Example: config.HelpTemplate(),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if len(args) == 0 {
 				return w.list()
@@ -92,6 +91,7 @@ func newContextCmd(c *config.Config) *cobra.Command {
 	contextAddCmd.Flags().String("default-project", "", "sets a default project to act on")
 	contextAddCmd.Flags().Duration("timeout", 0, "sets a default request timeout")
 	contextAddCmd.Flags().Bool("activate", false, "immediately switches to the new context")
+	contextAddCmd.Flags().String("provider", "", "sets the login provider for this context")
 
 	genericcli.Must(contextAddCmd.MarkFlagRequired("api-token"))
 
@@ -108,6 +108,7 @@ func newContextCmd(c *config.Config) *cobra.Command {
 	contextUpdateCmd.Flags().String("default-project", "", "sets a default project to act on")
 	contextUpdateCmd.Flags().Duration("timeout", 0, "sets a default request timeout")
 	contextUpdateCmd.Flags().Bool("activate", false, "immediately switches to the new context")
+	contextUpdateCmd.Flags().String("provider", "", "sets the login provider for this context")
 
 	genericcli.Must(contextUpdateCmd.RegisterFlagCompletionFunc("default-project", c.Completion.ProjectListCompletion))
 
@@ -171,6 +172,7 @@ func (c *ctx) add(args []string) error {
 		Token:          viper.GetString("api-token"),
 		DefaultProject: viper.GetString("default-project"),
 		Timeout:        pointer.PointerOrNil(viper.GetDuration("timeout")),
+		Provider:       viper.GetString("provider"),
 	}
 
 	ctxs.Contexts = append(ctxs.Contexts, ctx)
@@ -218,6 +220,9 @@ func (c *ctx) update(args []string) error {
 	if viper.IsSet("timeout") {
 		ctx.Timeout = pointer.PointerOrNil(viper.GetDuration("timeout"))
 	}
+	if viper.IsSet("provider") {
+		ctx.Provider = viper.GetString("provider")
+	}
 	if viper.GetBool("activate") {
 		ctxs.PreviousContext = ctxs.CurrentContext
 		ctxs.CurrentContext = ctx.Name

diff --git a/cmd/login.go b/cmd/login.go
@@ -14,8 +14,10 @@ import (
 	apiv2 "github.com/metal-stack/api/go/metalstack/api/v2"
 	"github.com/metal-stack/cli/cmd/config"
 	"github.com/metal-stack/metal-lib/pkg/genericcli"
+	"github.com/metal-stack/metal-lib/pkg/pointer"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	"google.golang.org/protobuf/types/known/durationpb"
 )
 
 type login struct {
@@ -36,15 +38,18 @@ func newLoginCmd(c *config.Config) *cobra.Command {
 	}
 
 	loginCmd.Flags().String("provider", "oidc", "the provider used to login with")
-	loginCmd.Flags().String("context-name", "", "the context into which the token gets injected, if not specified it uses the current context or creates a context named default in case there is no current context set")
+	loginCmd.Flags().String("context", "", "the context into which the token gets injected, if not specified it uses the current context or creates a context named default in case there is no current context set")
+	loginCmd.Flags().String("admin-role", "", "operators can use this flag to issue an admin token with the token retrieved from login and store this into context")
 
+	genericcli.Must(loginCmd.Flags().MarkHidden("admin-role"))
 	genericcli.Must(loginCmd.RegisterFlagCompletionFunc("provider", cobra.FixedCompletions([]string{"oidc"}, cobra.ShellCompDirectiveNoFileComp)))
+	genericcli.Must(loginCmd.RegisterFlagCompletionFunc("admin-role", c.Completion.TokenAdminRoleCompletion))
 
 	return loginCmd
 }
 
 func (l *login) login() error {
-	provider := viper.GetString("provider")
+	provider := l.c.GetProvider()
 	if provider == "" {
 		return errors.New("provider must be specified")
 	}
@@ -55,22 +60,26 @@ func (l *login) login() error {
 	}
 
 	ctxName := ctxs.CurrentContext
-	if viper.IsSet("context-name") {
-		ctxName = viper.GetString("context-name")
+	if viper.IsSet("context") {
+		ctxName = viper.GetString("context")
 	}
-
 	ctx, ok := ctxs.Get(ctxName)
 	if !ok {
-		defaultCtx := l.c.MustDefaultContext()
-		defaultCtx.Name = "default"
-
-		ctxs.PreviousContext = ctxs.CurrentContext
-		ctxs.CurrentContext = ctxName
+		newCtx := l.c.MustDefaultContext()
+		newCtx.Name = "default"
+		if viper.IsSet("context") {
+			newCtx.Name = viper.GetString("context")
+		}
+		newCtx.ApiURL = pointer.Pointer(l.c.GetApiURL())
+		ctxs.Contexts = append(ctxs.Contexts, &newCtx)
+		ctx = &newCtx
+	}
 
-		ctxs.Contexts = append(ctxs.Contexts, &defaultCtx)
+	ctx.Provider = provider
 
-		ctx = &defaultCtx
-	}
+	// switch into new context
+	ctxs.PreviousContext = ctxs.CurrentContext
+	ctxs.CurrentContext = ctx.Name
 
 	tokenChan := make(chan string)
 
@@ -114,6 +123,24 @@ func (l *login) login() error {
 		return errors.New("no token was retrieved")
 	}
 
+	if viper.IsSet("admin-role") {
+		mc, err := newApiClient(l.c.GetApiURL(), token)
+		if err != nil {
+			return err
+		}
+
+		tokenResp, err := mc.Apiv2().Token().Create(context.Background(), connect.NewRequest(&apiv2.TokenServiceCreateRequest{
+			Description: "admin access issues by metal cli",
+			Expires:     durationpb.New(3 * time.Hour),
+			AdminRole:   pointer.Pointer(apiv2.AdminRole((apiv2.AdminRole_value[viper.GetString("admin-role")]))),
+		}))
+		if err != nil {
+			return fmt.Errorf("unable to issue admin token: %w", err)
+		}
+
+		token = tokenResp.Msg.Secret
+	}
+
 	ctx.Token = token
 
 	if ctx.DefaultProject == "" {

diff --git a/cmd/sorters/token.go b/cmd/sorters/token.go
@@ -11,7 +11,7 @@ func TokenSorter() *multisort.Sorter[*apiv2.Token] {
 			return multisort.Compare(a.Uuid, b.Uuid, descending)
 		},
 		"user": func(a, b *apiv2.Token, descending bool) multisort.CompareResult {
-			return multisort.Compare(a.UserId, b.UserId, descending)
+			return multisort.Compare(a.User, b.User, descending)
 		},
 		"type": func(a, b *apiv2.Token, descending bool) multisort.CompareResult {
 			return multisort.Compare(a.TokenType.String(), b.TokenType.String(), descending)