From 090124f53bbb2211919dbd04df8d582261d19184 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Wed, 26 Jun 2024 17:18:00 +0100 Subject: [PATCH 1/2] Use WIF instead of service account key --- .github/actions/gcloud/deploy-app/action.yaml | 7 +++---- .github/workflows/backend.yaml | 5 ----- .github/workflows/cron.yaml | 1 - .github/workflows/dispatch.yaml | 1 - .github/workflows/frontend.yaml | 5 ----- 5 files changed, 3 insertions(+), 16 deletions(-) diff --git a/.github/actions/gcloud/deploy-app/action.yaml b/.github/actions/gcloud/deploy-app/action.yaml index 25310fd6..6bbb6704 100644 --- a/.github/actions/gcloud/deploy-app/action.yaml +++ b/.github/actions/gcloud/deploy-app/action.yaml @@ -1,9 +1,6 @@ name: "Code for Life - GCloud - Deploy App" description: "Deploy an app to Google Cloud." inputs: - gcp-credentials: - description: "The JSON credentials used to access GCP." - required: true deploy-args: description: "Arguments to pass to `gcloud app deploy`." required: false @@ -13,7 +10,9 @@ runs: - name: 🗝 Authenticate with GCloud uses: google-github-actions/auth@v2 with: - credentials_json: ${{ inputs.gcp-credentials }} + project_id: 'decent-digit-629' + workload_identity_provider: 'projects/354656325390/locations/global/workloadIdentityPools/cfl-pool/providers/cfl-provider' + service_account: 'github-actions-34@decent-digit-629.iam.gserviceaccount.com' - name: 🤖 Set up GCloud SDK uses: google-github-actions/setup-gcloud@v2 diff --git a/.github/workflows/backend.yaml b/.github/workflows/backend.yaml index 4a1b9310..41f6d4c0 100644 --- a/.github/workflows/backend.yaml +++ b/.github/workflows/backend.yaml @@ -12,9 +12,6 @@ on: CODECOV_TOKEN: description: "The token used to gain access to Codecov." required: false - GCP_CREDENTIALS: - description: "The JSON credentials used to access GCP." - required: false jobs: validate-pr-refs: @@ -82,5 +79,3 @@ jobs: - name: 🚀 Deploy App on GCloud uses: ocadotechnology/codeforlife-workspace/.github/actions/gcloud/deploy-app@main - with: - gcp-credentials: ${{ secrets.GCP_CREDENTIALS }} diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml index b3d2f712..68de8dbe 100644 --- a/.github/workflows/cron.yaml +++ b/.github/workflows/cron.yaml @@ -18,5 +18,4 @@ jobs: - name: 🚀 Deploy Cron Jobs on GCloud uses: ocadotechnology/codeforlife-workspace/.github/actions/gcloud/deploy-app@main with: - gcp-credentials: ${{ secrets.GCP_CREDENTIALS }} deploy-args: cron.yaml diff --git a/.github/workflows/dispatch.yaml b/.github/workflows/dispatch.yaml index b867f47c..49ff54d6 100644 --- a/.github/workflows/dispatch.yaml +++ b/.github/workflows/dispatch.yaml @@ -18,5 +18,4 @@ jobs: - name: 🚀 Deploy Routing Rules on GCloud uses: ocadotechnology/codeforlife-workspace/.github/actions/gcloud/deploy-app@main with: - gcp-credentials: ${{ secrets.GCP_CREDENTIALS }} deploy-args: dispatch.yaml diff --git a/.github/workflows/frontend.yaml b/.github/workflows/frontend.yaml index 3e132dd6..cfa1795a 100644 --- a/.github/workflows/frontend.yaml +++ b/.github/workflows/frontend.yaml @@ -12,9 +12,6 @@ on: CODECOV_TOKEN: description: "The token used to gain access to Codecov." required: false - GCP_CREDENTIALS: - description: "The JSON credentials used to access GCP." - required: false jobs: validate-pr-refs: @@ -70,5 +67,3 @@ jobs: - name: 🚀 Deploy App on GCloud uses: ocadotechnology/codeforlife-workspace/.github/actions/gcloud/deploy-app@main - with: - gcp-credentials: ${{ secrets.GCP_CREDENTIALS }} From 574531e13fe6018509b625f2e9ea1d883a6a1d19 Mon Sep 17 00:00:00 2001 From: faucomte97 Date: Thu, 27 Jun 2024 12:19:01 +0100 Subject: [PATCH 2/2] Add permissions --- .github/workflows/backend.yaml | 2 ++ .github/workflows/cron.yaml | 2 ++ .github/workflows/dispatch.yaml | 2 ++ .github/workflows/frontend.yaml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/.github/workflows/backend.yaml b/.github/workflows/backend.yaml index 41f6d4c0..3c9d12c1 100644 --- a/.github/workflows/backend.yaml +++ b/.github/workflows/backend.yaml @@ -25,6 +25,8 @@ jobs: source-path: src deploy: + permissions: + id-token: 'write' # TODO: separate build and deploy jobs and create reusable deploy workflow runs-on: ubuntu-latest needs: [validate-pr-refs, test] # Deploy if: diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml index 68de8dbe..766356d0 100644 --- a/.github/workflows/cron.yaml +++ b/.github/workflows/cron.yaml @@ -10,6 +10,8 @@ on: jobs: deploy: + permissions: + id-token: 'write' # TODO: separate build and deploy jobs and create reusable deploy workflow runs-on: ubuntu-latest steps: - name: 🛫 Checkout diff --git a/.github/workflows/dispatch.yaml b/.github/workflows/dispatch.yaml index 49ff54d6..36128eac 100644 --- a/.github/workflows/dispatch.yaml +++ b/.github/workflows/dispatch.yaml @@ -10,6 +10,8 @@ on: jobs: deploy: + permissions: + id-token: 'write' # TODO: separate build and deploy jobs and create reusable deploy workflow runs-on: ubuntu-latest steps: - name: 🛫 Checkout diff --git a/.github/workflows/frontend.yaml b/.github/workflows/frontend.yaml index cfa1795a..13a7f995 100644 --- a/.github/workflows/frontend.yaml +++ b/.github/workflows/frontend.yaml @@ -24,6 +24,8 @@ jobs: node-version: ${{ inputs.node-version }} deploy: + permissions: + id-token: 'write' # TODO: separate build and deploy jobs and create reusable deploy workflow runs-on: ubuntu-latest needs: [validate-pr-refs, test] # Deploy if: