Skip to content

Commit 2a0613e

Browse files
authored
Change github actions authentication to use workload identity federation (#1398)
* Change github actions authentication to use workload identity federation
1 parent 9989a45 commit 2a0613e

File tree

3 files changed

+66
-45
lines changed

3 files changed

+66
-45
lines changed

.github/workflows/main-staging.yml

Lines changed: 22 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,17 @@ jobs:
66
build_docs:
77
name: Build the staging documentation site
88
runs-on: ubuntu-latest
9+
permissions:
10+
contents: 'read'
11+
id-token: 'write'
912
env:
1013
HUGO_VERSION: 0.143.1
1114
GCLOUD_VERSION: 458.0.1-linux-x86_64
1215
BUCKET: docs-staging-learn-redis-com
13-
BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_STAGING }}
14-
BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_STAGING }}
15-
GCP_PROJECT: ${{ secrets.GCP_PROJECT_STAGING }}
16+
STAGING_PROJECT_ID: ${{ secrets.GCP_PROJECT_STAGING }}
17+
STAGING_SERVICE_ACCOUNT: ${{ secrets.STAGING_SERVICE_ACCOUNT }}
18+
STAGING_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.STAGING_WORKLOAD_IDENTITY_PROVIDER }}
19+
1620
steps:
1721
- name: Start
1822
run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}"
@@ -162,17 +166,20 @@ jobs:
162166
run: ls "${{ github.workspace }}/examples"
163167
- name: List files to be published
164168
run: ls "${{ github.workspace }}/public"
165-
- name: Install the Google Cloud CLI
166-
run: |
167-
wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \
168-
&& tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\
169-
&& ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet
170-
- name: Prepare bucket authentication
171-
run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json
172-
- name: Authenticate to the bucket
173-
run: |
174-
./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \
175-
&& ./google-cloud-sdk/bin/gcloud auth list
169+
170+
- name: 'Google auth'
171+
uses: 'google-github-actions/auth@v2'
172+
with:
173+
project_id: '${{ env.STAGING_PROJECT_ID }}'
174+
service_account: '${{ env.STAGING_SERVICE_ACCOUNT }}'
175+
workload_identity_provider: '${{ env.STAGING_WORKLOAD_IDENTITY_PROVIDER }}'
176+
177+
- name: 'Set up Cloud SDK'
178+
uses: 'google-github-actions/setup-gcloud@v2'
179+
with:
180+
project_id: '${{ env.STAGING_PROJECT_ID }}'
181+
version: '>= 363.0.0'
182+
176183
- name: Sync the branch to the bucket
177184
run: |
178185
if [[ "${{ github.ref_name }}" == "main" ]]
@@ -187,7 +194,7 @@ jobs:
187194
else
188195
bucket_path=staging/${{ github.ref_name }}
189196
fi \
190-
&& ./google-cloud-sdk/bin/gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path
197+
&& gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path
191198
192199
versioned_builds=($(find . -type d -regex ".*[0-9-]" -maxdepth 1 | sed -E 's/^.\///'))
193200
for versioned_build in "${versioned_builds[@]}"; do

.github/workflows/main.yml

Lines changed: 22 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,17 @@ jobs:
66
build_docs:
77
name: Build the production documentation site
88
runs-on: ubuntu-latest
9+
permissions:
10+
contents: 'read'
11+
id-token: 'write'
912
env:
1013
HUGO_VERSION: 0.143.1
1114
GCLOUD_VERSION: 458.0.1-linux-x86_64
1215
BUCKET: docs-prod-learn-redis-com
13-
BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_PROD }}
14-
BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_PROD }}
15-
GCP_PROJECT: ${{ secrets.GCP_PROJECT_PROD }}
16+
PROD_PROJECT_ID: ${{ secrets.GCP_PROJECT_PROD }}
17+
PROD_SERVICE_ACCOUNT: ${{ secrets.PROD_SERVICE_ACCOUNT }}
18+
PROD_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.PROD_WORKLOAD_IDENTITY_PROVIDER }}
19+
1620
steps:
1721
- name: Start
1822
run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}"
@@ -162,17 +166,20 @@ jobs:
162166
run: ls "${{ github.workspace }}/examples"
163167
- name: List files to be published
164168
run: ls "${{ github.workspace }}/public"
165-
- name: Install the Google Cloud CLI
166-
run: |
167-
wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \
168-
&& tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\
169-
&& ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet
170-
- name: Prepare bucket authentication
171-
run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json
172-
- name: Authenticate to the bucket
173-
run: |
174-
./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \
175-
&& ./google-cloud-sdk/bin/gcloud auth list
169+
170+
- name: 'Google auth'
171+
uses: 'google-github-actions/auth@v2'
172+
with:
173+
project_id: '${{ env.PROD_PROJECT_ID }}'
174+
service_account: '${{ env.PROD_SERVICE_ACCOUNT }}'
175+
workload_identity_provider: '${{ env.PROD_WORKLOAD_IDENTITY_PROVIDER }}'
176+
177+
- name: 'Set up Cloud SDK'
178+
uses: 'google-github-actions/setup-gcloud@v2'
179+
with:
180+
project_id: '${{ env.PROD_PROJECT_ID }}'
181+
version: '>= 363.0.0'
182+
176183
- name: Sync the branch to the bucket
177184
run: |
178185
if [[ "${{ github.ref_name }}" == "main" ]]
@@ -187,7 +194,7 @@ jobs:
187194
else
188195
bucket_path=staging/${{ github.ref_name }}
189196
fi \
190-
&& ./google-cloud-sdk/bin/gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path
197+
&& gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path
191198
192199
if [[ "${{ github.ref_name }}" == "latest" ]]
193200
then

.github/workflows/test_gcs_access.yml

Lines changed: 22 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -7,29 +7,36 @@ jobs:
77
test_gcs:
88
name: Test Google Cloud Storage access
99
runs-on: ubuntu-latest
10+
permissions:
11+
contents: 'read'
12+
id-token: 'write'
1013
env:
1114
GCLOUD_VERSION: 458.0.1-linux-x86_64
1215
BUCKET: docs-prod-learn-redis-com
13-
BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_PROD }}
14-
BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_PROD }}
15-
GCP_PROJECT: ${{ secrets.GCP_PROJECT_PROD }}
16+
PROD_PROJECT_ID: ${{ secrets.GCP_PROJECT_PROD }}
17+
PROD_SERVICE_ACCOUNT: ${{ secrets.PROD_SERVICE_ACCOUNT }}
18+
PROD_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.PROD_WORKLOAD_IDENTITY_PROVIDER }}
19+
1620
steps:
1721
- uses: actions/checkout@v4
1822
- name: Start
1923
run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}"
20-
- name: Fetch the credentails
21-
run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json
22-
- name: Install the Google Cloud CLI
23-
run: |
24-
wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \
25-
&& tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\
26-
&& ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet
27-
- name: Authenticate to Google Cloud
28-
run: |
29-
./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \
30-
&& ./google-cloud-sdk/bin/gcloud auth list
24+
25+
- name: 'Google auth'
26+
uses: 'google-github-actions/auth@v2'
27+
with:
28+
project_id: '${{ env.PROD_PROJECT_ID }}'
29+
service_account: '${{ env.PROD_SERVICE_ACCOUNT }}'
30+
workload_identity_provider: '${{ env.PROD_WORKLOAD_IDENTITY_PROVIDER }}'
31+
32+
- name: 'Set up Cloud SDK'
33+
uses: 'google-github-actions/setup-gcloud@v2'
34+
with:
35+
project_id: '${{ env.PROD_PROJECT_ID }}'
36+
version: '>= 363.0.0'
37+
3138
- name: List files
32-
run: ./google-cloud-sdk/bin/gsutil ls gs://$BUCKET
39+
run: gsutil ls gs://$BUCKET
3340
- name: End
3441
run: echo "This job's status is ${{ job.status }}."
3542

0 commit comments

Comments
 (0)