From c71ce592ed3a8caf1a7ef9b7659e25855e7028e3 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 26 Jun 2024 10:58:18 +0100 Subject: [PATCH 01/14] Use Google auth action for WIF --- .github/workflows/deploy_dev.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml index 5b3fc1d..6c3ad08 100644 --- a/.github/workflows/deploy_dev.yml +++ b/.github/workflows/deploy_dev.yml @@ -39,11 +39,12 @@ jobs: python-version: "3.8.x" architecture: "x64" - - id: gcauth - name: Authenticate to Google Cloud - uses: google-github-actions/auth@v2 + - id: auth + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@v0.4.0' with: - credentials_json: ${{ secrets.GCLOUD_AUTH }} + workload_identity_provider: 'projects/354656325390/locations/global/workloadIdentityPools/test-wif-pool/providers/test-provider' + service_account: 'github-actions-34@decent-digit-629.iam.gserviceaccount.com' - name: Setup gcloud CLI uses: google-github-actions/setup-gcloud@v2 From e0ed1951a406fcfe6381c80d4791cc4916b0412c Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 26 Jun 2024 13:26:56 +0100 Subject: [PATCH 02/14] Update action --- .github/workflows/deploy_dev.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml index 6c3ad08..186923e 100644 --- a/.github/workflows/deploy_dev.yml +++ b/.github/workflows/deploy_dev.yml @@ -29,6 +29,9 @@ jobs: MODULE_NAME: dev VERSION: ${{ github.run_number }} DATABASE_POSTFIX: ${{ secrets.DATABASE_POSTFIX }} + permissions: + contents: 'read' + id-token: 'write' steps: - name: Checkout uses: actions/checkout@v4 @@ -41,8 +44,9 @@ jobs: - id: auth name: 'Authenticate to Google Cloud' - uses: 'google-github-actions/auth@v0.4.0' + uses: 'google-github-actions/auth@v2' with: + project_id: '354656325390' workload_identity_provider: 'projects/354656325390/locations/global/workloadIdentityPools/test-wif-pool/providers/test-provider' service_account: 'github-actions-34@decent-digit-629.iam.gserviceaccount.com' From 231aef8f6fa48aba25a562201b197e524dcf04c9 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 26 Jun 2024 13:39:09 +0100 Subject: [PATCH 03/14] Try using new GKE auth action --- .github/workflows/deploy_dev.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml index 186923e..744cf9a 100644 --- a/.github/workflows/deploy_dev.yml +++ b/.github/workflows/deploy_dev.yml @@ -53,6 +53,12 @@ jobs: - name: Setup gcloud CLI uses: google-github-actions/setup-gcloud@v2 + - id: 'get-credentials' + name: GKE auth + uses: 'google-github-actions/get-gke-credentials@v2' + with: + cluster_name: 'aimmo-dev' + - name: GKE auth uses: simenandre/setup-gke-gcloud-auth-plugin@v1 From 6171220b7d07b00112e2300eec07e228e2435763 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 26 Jun 2024 13:40:47 +0100 Subject: [PATCH 04/14] Specify cluster location --- .github/workflows/deploy_dev.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml index 744cf9a..aecce50 100644 --- a/.github/workflows/deploy_dev.yml +++ b/.github/workflows/deploy_dev.yml @@ -58,6 +58,7 @@ jobs: uses: 'google-github-actions/get-gke-credentials@v2' with: cluster_name: 'aimmo-dev' + location: 'europe-west1-b' - name: GKE auth uses: simenandre/setup-gke-gcloud-auth-plugin@v1 From 1277ab69eda36f76ee6669a91fd88d2b2be4dfb9 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 26 Jun 2024 13:57:56 +0100 Subject: [PATCH 05/14] Remove deprecated action --- .github/workflows/deploy_dev.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml index aecce50..434375e 100644 --- a/.github/workflows/deploy_dev.yml +++ b/.github/workflows/deploy_dev.yml @@ -60,9 +60,6 @@ jobs: cluster_name: 'aimmo-dev' location: 'europe-west1-b' - - name: GKE auth - uses: simenandre/setup-gke-gcloud-auth-plugin@v1 - - name: Deploy to Google Cloud uses: ./.github/actions/deploy_gcloud with: From b2ab85a0a9f2096ebdd902928e4fd517bada8699 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 26 Jun 2024 14:16:56 +0100 Subject: [PATCH 06/14] Use correct project ID --- .github/workflows/deploy_dev.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml index 434375e..0bce838 100644 --- a/.github/workflows/deploy_dev.yml +++ b/.github/workflows/deploy_dev.yml @@ -46,7 +46,7 @@ jobs: name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v2' with: - project_id: '354656325390' + project_id: 'decent-digit-629' workload_identity_provider: 'projects/354656325390/locations/global/workloadIdentityPools/test-wif-pool/providers/test-provider' service_account: 'github-actions-34@decent-digit-629.iam.gserviceaccount.com' From feaf4a8a867b75e017e7b84e2feb73179de4a5dd Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 26 Jun 2024 14:33:37 +0100 Subject: [PATCH 07/14] Install gke-gcloud-auth-plugin --- .github/actions/deploy_gcloud/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/deploy_gcloud/action.yml b/.github/actions/deploy_gcloud/action.yml index 7a721fa..2f0eab0 100644 --- a/.github/actions/deploy_gcloud/action.yml +++ b/.github/actions/deploy_gcloud/action.yml @@ -172,7 +172,8 @@ runs: shell: bash - name: "Get cluster credentials" - run: |- + run: | + gcloud components install gke-gcloud-auth-plugin gcloud container clusters get-credentials "aimmo-$MODULE_NAME" --zone "$GKE_ZONE" env: MODULE_NAME: ${{ inputs.module-name }} From 9d78cc50cc99440757fe199e3d29db7e68f40406 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 26 Jun 2024 16:31:05 +0100 Subject: [PATCH 08/14] Do we need GKE auth? --- .github/workflows/deploy_dev.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml index 0bce838..e5fbf25 100644 --- a/.github/workflows/deploy_dev.yml +++ b/.github/workflows/deploy_dev.yml @@ -53,12 +53,12 @@ jobs: - name: Setup gcloud CLI uses: google-github-actions/setup-gcloud@v2 - - id: 'get-credentials' - name: GKE auth - uses: 'google-github-actions/get-gke-credentials@v2' - with: - cluster_name: 'aimmo-dev' - location: 'europe-west1-b' +# - id: 'get-credentials' +# name: GKE auth +# uses: 'google-github-actions/get-gke-credentials@v2' +# with: +# cluster_name: 'aimmo-dev' +# location: 'europe-west1-b' - name: Deploy to Google Cloud uses: ./.github/actions/deploy_gcloud From 19e055d7b2aca75331298379c458a5a232674210 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 26 Jun 2024 16:52:38 +0100 Subject: [PATCH 09/14] Remove comments --- .github/workflows/deploy_dev.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml index e5fbf25..f3b6ca7 100644 --- a/.github/workflows/deploy_dev.yml +++ b/.github/workflows/deploy_dev.yml @@ -53,13 +53,6 @@ jobs: - name: Setup gcloud CLI uses: google-github-actions/setup-gcloud@v2 -# - id: 'get-credentials' -# name: GKE auth -# uses: 'google-github-actions/get-gke-credentials@v2' -# with: -# cluster_name: 'aimmo-dev' -# location: 'europe-west1-b' - - name: Deploy to Google Cloud uses: ./.github/actions/deploy_gcloud with: From ced8b2a3e071655882a8df7d56ed45476825e40c Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 26 Jun 2024 17:00:50 +0100 Subject: [PATCH 10/14] Update pool and provider --- .github/workflows/deploy_dev.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml index f3b6ca7..98317e7 100644 --- a/.github/workflows/deploy_dev.yml +++ b/.github/workflows/deploy_dev.yml @@ -43,11 +43,11 @@ jobs: architecture: "x64" - id: auth - name: 'Authenticate to Google Cloud' - uses: 'google-github-actions/auth@v2' + name: Authenticate to Google Cloud + uses: google-github-actions/auth@v2 with: project_id: 'decent-digit-629' - workload_identity_provider: 'projects/354656325390/locations/global/workloadIdentityPools/test-wif-pool/providers/test-provider' + workload_identity_provider: 'projects/354656325390/locations/global/workloadIdentityPools/cfl-pool/providers/cfl-provider' service_account: 'github-actions-34@decent-digit-629.iam.gserviceaccount.com' - name: Setup gcloud CLI From 0c83ac2cfa1768c15496733a7e78653378194c65 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 26 Jun 2024 17:10:22 +0100 Subject: [PATCH 11/14] Copy changes to staging and default --- .github/workflows/deploy_default.yml | 12 +++++++----- .github/workflows/deploy_staging.yml | 12 +++++++----- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/.github/workflows/deploy_default.yml b/.github/workflows/deploy_default.yml index 7604d98..efca8ff 100644 --- a/.github/workflows/deploy_default.yml +++ b/.github/workflows/deploy_default.yml @@ -15,6 +15,9 @@ jobs: MODULE_NAME: default VERSION: ${{ github.run_number }} DATABASE_POSTFIX: ${{ secrets.DATABASE_POSTFIX }} + permissions: + contents: 'read' + id-token: 'write' steps: - name: Checkout uses: actions/checkout@v4 @@ -25,18 +28,17 @@ jobs: python-version: "3.8.x" architecture: "x64" - - id: gcauth + - id: auth name: Authenticate to Google Cloud uses: google-github-actions/auth@v2 with: - credentials_json: ${{ secrets.GCLOUD_AUTH }} + project_id: 'decent-digit-629' + workload_identity_provider: 'projects/354656325390/locations/global/workloadIdentityPools/cfl-pool/providers/cfl-provider' + service_account: 'github-actions-34@decent-digit-629.iam.gserviceaccount.com' - name: Setup gcloud CLI uses: google-github-actions/setup-gcloud@v2 - - name: GKE auth - uses: simenandre/setup-gke-gcloud-auth-plugin@v1 - - name: Deploy to Google Cloud uses: ./.github/actions/deploy_gcloud with: diff --git a/.github/workflows/deploy_staging.yml b/.github/workflows/deploy_staging.yml index 5969670..7d25ce4 100644 --- a/.github/workflows/deploy_staging.yml +++ b/.github/workflows/deploy_staging.yml @@ -15,6 +15,9 @@ jobs: MODULE_NAME: staging VERSION: ${{ github.run_number }} DATABASE_POSTFIX: ${{ secrets.DATABASE_POSTFIX }} + permissions: + contents: 'read' + id-token: 'write' steps: - name: Checkout uses: actions/checkout@v4 @@ -25,18 +28,17 @@ jobs: python-version: "3.8.x" architecture: "x64" - - id: gcauth + - id: auth name: Authenticate to Google Cloud uses: google-github-actions/auth@v2 with: - credentials_json: ${{ secrets.GCLOUD_AUTH }} + project_id: 'decent-digit-629' + workload_identity_provider: 'projects/354656325390/locations/global/workloadIdentityPools/cfl-pool/providers/cfl-provider' + service_account: 'github-actions-34@decent-digit-629.iam.gserviceaccount.com' - name: Setup gcloud CLI uses: google-github-actions/setup-gcloud@v2 - - name: GKE auth - uses: simenandre/setup-gke-gcloud-auth-plugin@v1 - - name: Deploy to Google Cloud uses: ./.github/actions/deploy_gcloud with: From 1fcbb40e3fd775d239f05f1a6f630d48d12b7455 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Thu, 27 Jun 2024 10:46:58 +0100 Subject: [PATCH 12/14] Test removing permissions block --- .github/workflows/deploy_dev.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml index 98317e7..a0bb040 100644 --- a/.github/workflows/deploy_dev.yml +++ b/.github/workflows/deploy_dev.yml @@ -29,9 +29,9 @@ jobs: MODULE_NAME: dev VERSION: ${{ github.run_number }} DATABASE_POSTFIX: ${{ secrets.DATABASE_POSTFIX }} - permissions: - contents: 'read' - id-token: 'write' +# permissions: +# contents: 'read' +# id-token: 'write' steps: - name: Checkout uses: actions/checkout@v4 From fee680fc1f5d9b2a201226d4e5b740278a6c0e70 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Thu, 27 Jun 2024 10:48:59 +0100 Subject: [PATCH 13/14] Only add back id-token write permission --- .github/workflows/deploy_dev.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml index a0bb040..9965bfd 100644 --- a/.github/workflows/deploy_dev.yml +++ b/.github/workflows/deploy_dev.yml @@ -29,9 +29,9 @@ jobs: MODULE_NAME: dev VERSION: ${{ github.run_number }} DATABASE_POSTFIX: ${{ secrets.DATABASE_POSTFIX }} -# permissions: + permissions: # contents: 'read' -# id-token: 'write' + id-token: 'write' steps: - name: Checkout uses: actions/checkout@v4 From 2d832c594e4e26665465394be2a904ec6ea38ebd Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Thu, 27 Jun 2024 10:51:45 +0100 Subject: [PATCH 14/14] Remove contents permission --- .github/workflows/deploy_default.yml | 1 - .github/workflows/deploy_dev.yml | 1 - .github/workflows/deploy_staging.yml | 1 - 3 files changed, 3 deletions(-) diff --git a/.github/workflows/deploy_default.yml b/.github/workflows/deploy_default.yml index efca8ff..1951d96 100644 --- a/.github/workflows/deploy_default.yml +++ b/.github/workflows/deploy_default.yml @@ -16,7 +16,6 @@ jobs: VERSION: ${{ github.run_number }} DATABASE_POSTFIX: ${{ secrets.DATABASE_POSTFIX }} permissions: - contents: 'read' id-token: 'write' steps: - name: Checkout diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml index 9965bfd..a89a6d4 100644 --- a/.github/workflows/deploy_dev.yml +++ b/.github/workflows/deploy_dev.yml @@ -30,7 +30,6 @@ jobs: VERSION: ${{ github.run_number }} DATABASE_POSTFIX: ${{ secrets.DATABASE_POSTFIX }} permissions: -# contents: 'read' id-token: 'write' steps: - name: Checkout diff --git a/.github/workflows/deploy_staging.yml b/.github/workflows/deploy_staging.yml index 7d25ce4..1745670 100644 --- a/.github/workflows/deploy_staging.yml +++ b/.github/workflows/deploy_staging.yml @@ -16,7 +16,6 @@ jobs: VERSION: ${{ github.run_number }} DATABASE_POSTFIX: ${{ secrets.DATABASE_POSTFIX }} permissions: - contents: 'read' id-token: 'write' steps: - name: Checkout