Change github actions authentication to use workload identity federation (#1398)

* Change github actions authentication to use workload identity federation

Author: paoloredis

.github/workflows/main-staging.yml

@@ -6,13 +6,17 @@ jobs:
   build_docs:
     name: Build the staging documentation site
     runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     env:
       HUGO_VERSION: 0.143.1
       GCLOUD_VERSION: 458.0.1-linux-x86_64
       BUCKET: docs-staging-learn-redis-com
-      BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_STAGING }}
-      BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_STAGING }}
-      GCP_PROJECT: ${{ secrets.GCP_PROJECT_STAGING }}
+      STAGING_PROJECT_ID: ${{ secrets.GCP_PROJECT_STAGING }}
+      STAGING_SERVICE_ACCOUNT: ${{ secrets.STAGING_SERVICE_ACCOUNT }}
+      STAGING_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.STAGING_WORKLOAD_IDENTITY_PROVIDER }}
+
     steps:
     - name: Start
       run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}"
@@ -162,17 +166,20 @@ jobs:
       run: ls "${{ github.workspace }}/examples"
     - name: List files to be published
       run: ls "${{ github.workspace }}/public"    
-    - name: Install the Google Cloud CLI
-      run: |
-          wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \
-          && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\
-          && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet
-    - name: Prepare bucket authentication
-      run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json
-    - name: Authenticate to the bucket
-      run: |
-          ./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \
-          && ./google-cloud-sdk/bin/gcloud auth list
+
+    - name: 'Google auth'
+      uses: 'google-github-actions/auth@v2'
+      with:
+        project_id: '${{ env.STAGING_PROJECT_ID }}'
+        service_account: '${{ env.STAGING_SERVICE_ACCOUNT }}'
+        workload_identity_provider: '${{ env.STAGING_WORKLOAD_IDENTITY_PROVIDER }}'
+
+    - name: 'Set up Cloud SDK'
+      uses: 'google-github-actions/setup-gcloud@v2'
+      with:
+        project_id: '${{ env.STAGING_PROJECT_ID }}'
+        version: '>= 363.0.0'
+
     - name: Sync the branch to the bucket
       run: |
           if [[ "${{ github.ref_name }}" == "main" ]]
@@ -187,7 +194,7 @@ jobs:
           else
             bucket_path=staging/${{ github.ref_name }}
           fi \
-          && ./google-cloud-sdk/bin/gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path
+          && gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path
 
           versioned_builds=($(find . -type d -regex ".*[0-9-]" -maxdepth 1 | sed -E 's/^.\///'))
           for versioned_build in "${versioned_builds[@]}"; do

.github/workflows/main.yml

@@ -6,13 +6,17 @@ jobs:
   build_docs:
     name: Build the production documentation site
     runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     env:
       HUGO_VERSION: 0.143.1
       GCLOUD_VERSION: 458.0.1-linux-x86_64
       BUCKET: docs-prod-learn-redis-com
-      BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_PROD }}
-      BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_PROD }}
-      GCP_PROJECT: ${{ secrets.GCP_PROJECT_PROD }}
+      PROD_PROJECT_ID: ${{ secrets.GCP_PROJECT_PROD }}
+      PROD_SERVICE_ACCOUNT: ${{ secrets.PROD_SERVICE_ACCOUNT }}
+      PROD_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.PROD_WORKLOAD_IDENTITY_PROVIDER }}
+
     steps:
     - name: Start
       run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}"
@@ -162,17 +166,20 @@ jobs:
       run: ls "${{ github.workspace }}/examples"
     - name: List files to be published
       run: ls "${{ github.workspace }}/public"    
-    - name: Install the Google Cloud CLI
-      run: |
-          wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \
-          && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\
-          && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet
-    - name: Prepare bucket authentication
-      run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json
-    - name: Authenticate to the bucket
-      run: |
-          ./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \
-          && ./google-cloud-sdk/bin/gcloud auth list
+
+    - name: 'Google auth'
+      uses: 'google-github-actions/auth@v2'
+      with:
+        project_id: '${{ env.PROD_PROJECT_ID }}'
+        service_account: '${{ env.PROD_SERVICE_ACCOUNT }}'
+        workload_identity_provider: '${{ env.PROD_WORKLOAD_IDENTITY_PROVIDER }}'
+
+    - name: 'Set up Cloud SDK'
+      uses: 'google-github-actions/setup-gcloud@v2'
+      with:
+        project_id: '${{ env.PROD_PROJECT_ID }}'
+        version: '>= 363.0.0'
+
     - name: Sync the branch to the bucket
       run: |
           if [[ "${{ github.ref_name }}" == "main" ]]
@@ -187,7 +194,7 @@ jobs:
           else
             bucket_path=staging/${{ github.ref_name }}
           fi \
-          && ./google-cloud-sdk/bin/gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path
+          && gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path
 
           if [[ "${{ github.ref_name }}" == "latest" ]]
           then

.github/workflows/test_gcs_access.yml

@@ -7,29 +7,36 @@ jobs:
   test_gcs:
     name: Test Google Cloud Storage access
     runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     env:
       GCLOUD_VERSION: 458.0.1-linux-x86_64
       BUCKET: docs-prod-learn-redis-com
-      BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_PROD }}
-      BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_PROD }}
-      GCP_PROJECT: ${{ secrets.GCP_PROJECT_PROD }}
+      PROD_PROJECT_ID: ${{ secrets.GCP_PROJECT_PROD }}
+      PROD_SERVICE_ACCOUNT: ${{ secrets.PROD_SERVICE_ACCOUNT }}
+      PROD_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.PROD_WORKLOAD_IDENTITY_PROVIDER }}
+
     steps:
     - uses: actions/checkout@v4
     - name: Start
       run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}"
-    - name: Fetch the credentails
-      run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json
-    - name: Install the Google Cloud CLI
-      run: |
-          wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \
-          && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\
-          && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet
-    - name: Authenticate to Google Cloud
-      run: |
-          ./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \
-          && ./google-cloud-sdk/bin/gcloud auth list
+
+    - name: 'Google auth'
+      uses: 'google-github-actions/auth@v2'
+      with:
+        project_id: '${{ env.PROD_PROJECT_ID }}'
+        service_account: '${{ env.PROD_SERVICE_ACCOUNT }}'
+        workload_identity_provider: '${{ env.PROD_WORKLOAD_IDENTITY_PROVIDER }}'
+
+    - name: 'Set up Cloud SDK'
+      uses: 'google-github-actions/setup-gcloud@v2'
+      with:
+        project_id: '${{ env.PROD_PROJECT_ID }}'
+        version: '>= 363.0.0'
+
     - name: List files
-      run: ./google-cloud-sdk/bin/gsutil ls gs://$BUCKET
+      run: gsutil ls gs://$BUCKET
     - name: End
       run: echo "This job's status is ${{ job.status }}."