From b0ddd95357c8beae49a29fd46d9b9b5fb86fc181 Mon Sep 17 00:00:00 2001
From: Tomas Valenta <valenta.and.thomas@gmail.com>
Date: Tue, 26 Sep 2023 18:20:56 +0200
Subject: [PATCH] Fix GHA env vars passing

---
 .github/workflows/api-image.yml               |  8 ++++--
 .github/workflows/cluster-disk-image.yml      |  9 +++++--
 .github/workflows/env-build-task-driver.yml   |  9 +++++--
 .../workflows/env-instance-task-driver.yml    |  9 +++++--
 .github/workflows/envd.yml                    |  8 ++++--
 .github/workflows/release.yml                 | 20 +++++++++++++++
 .github/workflows/terraform.yml               | 25 ++++++++++++++-----
 7 files changed, 72 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/api-image.yml b/.github/workflows/api-image.yml
index a656c16e4..fb605210f 100644
--- a/.github/workflows/api-image.yml
+++ b/.github/workflows/api-image.yml
@@ -3,6 +3,10 @@ name: API image
 on:
   workflow_call:
     secrets:
+      service_account_email:
+        required: true
+      workload_identity_provider:
+        required: true
       gce_project:
         required: true
 
@@ -20,8 +24,8 @@ jobs:
       - name: Setup Service Account
         uses: google-github-actions/auth@v1
         with:
-          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
-          service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+          workload_identity_provider: ${{ secrets.workload_identity_provider }}
+          service_account: ${{ secrets.service_account_email }}
 
       - name: Configure Docker
         run: gcloud --quiet auth configure-docker us-central1-docker.pkg.dev
diff --git a/.github/workflows/cluster-disk-image.yml b/.github/workflows/cluster-disk-image.yml
index 84c3bcd3c..40fa3b1b6 100644
--- a/.github/workflows/cluster-disk-image.yml
+++ b/.github/workflows/cluster-disk-image.yml
@@ -2,6 +2,11 @@ name: Cluster disk image
 
 on:
   workflow_call:
+    secrets:
+      service_account_email:
+        required: true
+      workload_identity_provider:
+        required: true
 
 jobs:
   publish:
@@ -15,8 +20,8 @@ jobs:
       #   uses: google-github-actions/auth@v1
       #   with:
       #     create_credentials_file: true
-      #     workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
-      #     service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+      #     workload_identity_provider: ${{ secrets.workload_identity_provider }}
+      #     service_account: ${{ secrets.service_account_email }}
 
       # - name: Setup Packer
       #   uses: hashicorp-contrib/setup-packer@v2
diff --git a/.github/workflows/env-build-task-driver.yml b/.github/workflows/env-build-task-driver.yml
index 4c1c8b2b0..5ef87de9a 100644
--- a/.github/workflows/env-build-task-driver.yml
+++ b/.github/workflows/env-build-task-driver.yml
@@ -2,6 +2,11 @@ name: Env build task driver
 
 on:
   workflow_call:
+    secrets:
+      service_account_email:
+        required: true
+      workload_identity_provider:
+        required: true
 
 jobs:
   publish:
@@ -29,8 +34,8 @@ jobs:
       - name: Setup Service Account
         uses: google-github-actions/auth@v1
         with:
-          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
-          service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+          workload_identity_provider: ${{ secrets.workload_identity_provider }}
+          service_account: ${{ secrets.service_account_email }}
 
       - name: List files
         run: ls -la ./packages/env-build-task-driver/bin
diff --git a/.github/workflows/env-instance-task-driver.yml b/.github/workflows/env-instance-task-driver.yml
index 56959a1e2..ce8e77977 100644
--- a/.github/workflows/env-instance-task-driver.yml
+++ b/.github/workflows/env-instance-task-driver.yml
@@ -2,6 +2,11 @@ name: Env instance task driver
 
 on:
   workflow_call:
+    secrets:
+      service_account_email:
+        required: true
+      workload_identity_provider:
+        required: true
 
 jobs:
   publish:
@@ -29,8 +34,8 @@ jobs:
       - name: Setup Service Account
         uses: google-github-actions/auth@v1
         with:
-          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
-          service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+          workload_identity_provider: ${{ secrets.workload_identity_provider }}
+          service_account: ${{ secrets.service_account_email }}
 
       - name: Upload firecracker task driver
         uses: "google-github-actions/upload-cloud-storage@v1"
diff --git a/.github/workflows/envd.yml b/.github/workflows/envd.yml
index 650fbc188..8b3f28947 100644
--- a/.github/workflows/envd.yml
+++ b/.github/workflows/envd.yml
@@ -3,6 +3,10 @@ name: Envd
 on:
   workflow_call:
     secrets:
+      service_account_email:
+        required: true
+      workload_identity_provider:
+        required: true
       version:
         required: true
 
@@ -34,8 +38,8 @@ jobs:
       - name: Setup Service Account
         uses: google-github-actions/auth@v1
         with:
-          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
-          service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+          workload_identity_provider: ${{ secrets.workload_identity_provider }}
+          service_account: ${{ secrets.service_account_email }}
 
       - name: Upload envd
         uses: "google-github-actions/upload-cloud-storage@v1"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c23ae8507..20daffe49 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -76,6 +76,9 @@ jobs:
       needs.changes.outputs.version == 'true' &&
       needs.changes.outputs.env-instance-task-driver == 'true'
     uses: ./.github/workflows/env-instance-task-driver.yml
+    secrets:
+      workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
+      service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
 
   env-build-task-driver:
     name: Env build task driver
@@ -85,6 +88,9 @@ jobs:
       needs.changes.outputs.version == 'true' &&
       needs.changes.outputs.env-build-task-driver == 'true'
     uses: ./.github/workflows/env-build-task-driver.yml
+    secrets:
+      workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
+      service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
 
   cluster-disk-image:
     name: Cluster disk image
@@ -94,6 +100,9 @@ jobs:
       needs.changes.outputs.version == 'true' &&
       needs.changes.outputs.cluster-disk-image == 'true'
     uses: ./.github/workflows/cluster-disk-image.yml
+    secrets:
+      workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
+      service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
 
   envd:
     name: Env Daemon
@@ -104,6 +113,8 @@ jobs:
       needs.changes.outputs.envd == 'true'
     uses: ./.github/workflows/envd.yml
     secrets:
+      workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
+      service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
       version: ${{ needs.changes.outputs.get-version }}
 
   api-image:
@@ -115,6 +126,8 @@ jobs:
       needs.changes.outputs.api-image == 'true'
     uses: ./.github/workflows/api-image.yml
     secrets:
+      workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
+      service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
       gce_project: ${{ secrets.GCE_PROJECT }}
 
   terraform:
@@ -138,6 +151,13 @@ jobs:
       (needs.env-build-task-driver.result == 'success' || needs.env-build-task-driver.result == 'skipped') &&
       (needs.api-image.result == 'success' || needs.api-image.result == 'skipped')
     uses: ./.github/workflows/terraform.yml
+    secrets:
+      workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
+      service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+      client_machine_type: ${{ secrets.CLIENT_MACHINE_TYPE }}
+      client_cluster_size: ${{ secrets.CLIENT_CLUSTER_SIZE }}
+      server_machine_type: ${{ secrets.SERVER_MACHINE_TYPE }}
+      server_cluster_size: ${{ secrets.SERVER_CLUSTER_SIZE }}
 
   # The last successful release is used for determining which changed and what should be deployed in this release.
   release:
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index fa3a9d7e4..7908c8866 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -2,6 +2,19 @@ name: Terraform
 
 on:
   workflow_call:
+    secrets:
+      service_account_email:
+        required: true
+      workload_identity_provider:
+        required: true
+      server_cluster_size:
+        required: true
+      server_machine_type:
+        required: true
+      client_cluster_size:
+        required: true
+      client_machine_type:
+        required: true
 
 jobs:
   deploy:
@@ -15,8 +28,8 @@ jobs:
         uses: google-github-actions/auth@v1
         with:
           create_credentials_file: true
-          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
-          service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+          workload_identity_provider: ${{ secrets.workload_identity_provider }}
+          service_account: ${{ secrets.service_account_email }}
 
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v2
@@ -44,7 +57,7 @@ jobs:
         run: make apply
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          tf_var_client_machine_type: ${{ secrets.CLIENT_MACHINE_TYPE }}
-          tf_var_client_cluster_size: ${{ secrets.CLIENT_CLUSTER_SIZE }}
-          tf_var_server_machine_type: ${{ secrets.SERVER_MACHINE_TYPE }}
-          tf_var_server_cluster_size: ${{ secrets.SERVER_CLUSTER_SIZE }}
+          tf_var_client_machine_type: ${{ secrets.client_machine_type }}
+          tf_var_client_cluster_size: ${{ secrets.client_cluster_size }}
+          tf_var_server_machine_type: ${{ secrets.server_machine_type }}
+          tf_var_server_cluster_size: ${{ secrets.server_cluster_size }}