Skip to content

Commit

Permalink
chore(ci): Google Cloud Workload Identity Federation
Browse files Browse the repository at this point in the history
  • Loading branch information
nicknovitski committed Apr 15, 2024
1 parent a0bf055 commit 15cac89
Show file tree
Hide file tree
Showing 4 changed files with 54 additions and 74 deletions.
56 changes: 18 additions & 38 deletions .github/actions/setup-google-cloud/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,53 +2,33 @@ name: Setup Google Cloud SDK
description: Prepare Google Cloud SDK in GitHub Actions

inputs:
project-id:
description: Google Cloud SDK project id
default: exponentjs

project-zone:
description: Google Cloud SDK compute zone
default: us-central1

project-cluster:
description: Google Cloud SDK container cluster
default: general-central

service-key:
description: Google Cloud SDK service_account_key
auth:
description: If it should authenticate with Google Cloud and the Kubernetes cluster
default: ''

export-default-credentials:
type: boolean
description: If it should export the default credentials
default: true
required: false

runs:
using: composite
steps:
- name: πŸ— Setup Google Cloud SDK with auth
if: ${{ inputs.service-key != '' }}
uses: google-github-actions/setup-gcloud@94337306dda8180d967a56932ceb4ddcf01edae7
- name: πŸ— Authenticate to Google Cloud
if: ${{ inputs.auth != '' }}
uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c
with:
project_id: ${{ inputs.project-id }}
service_account_key: ${{ inputs.service-key }}
export_default_credentials: ${{ inputs.export-default-credentials }}
project_id: exponentjs
workload_identity_provider: projects/321830142373/locations/global/workloadIdentityPools/github/providers/expo

- name: πŸ— Setup Google Cloud SDK without auth
if: ${{ inputs.service-key == '' }}
uses: google-github-actions/setup-gcloud@94337306dda8180d967a56932ceb4ddcf01edae7

- name: πŸ“¦ Install Google Cloud SDK components
run: gcloud components install kubectl kustomize skaffold
shell: bash
- name: πŸ“¦ Setup Google Cloud SDK
uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200
with:
install_components: kubectl,kustomize,skaffold

- name: βš™οΈ Configure Google Cloud SDK
if: ${{ inputs.service-key != '' }}
if: ${{ inputs.auth != '' }}
run: |
gcloud config set project ${{ inputs.project-id }}
gcloud config set compute/zone ${{ inputs.project-zone }}
gcloud config set run/region ${{ inputs.project-zone }}
gcloud config set container/cluster ${{ inputs.project-cluster }}
gcloud container clusters get-credentials ${{ inputs.project-cluster }}
gcloud config set project exponentjs
gcloud config set compute/zone us-central1
gcloud config set run/region us-central1
gcloud config set container/cluster general-central
gcloud container clusters get-credentials general-central
gcloud auth configure-docker us-central1-docker.pkg.dev
shell: bash
24 changes: 12 additions & 12 deletions .github/workflows/snackager.yml
Original file line number Diff line number Diff line change
Expand Up @@ -86,17 +86,17 @@ jobs:
build:
if: ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: πŸ— Setup repository
uses: actions/checkout@v3

- name: πŸ— Setup Google Cloud SDK
uses: ./.github/actions/setup-google-cloud
with:
project-id: exponentjs
project-zone: us-central1
project-cluster: general-central
service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
auth: true

- name: πŸ›  Build snackager
run: skaffold build --filename snackager/skaffold.yaml --file-output snackager/build.json
Expand All @@ -106,6 +106,9 @@ jobs:
if: ${{ (github.event.inputs.deploy == 'staging' && github.event_name != 'pull_request') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
needs: review
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
environment:
name: snackager-staging
url: https://staging.snackager.expo.io/status
Expand All @@ -116,10 +119,7 @@ jobs:
- name: πŸ— Setup Google Cloud SDK
uses: ./.github/actions/setup-google-cloud
with:
project-id: exponentjs
project-zone: us-central1
project-cluster: general-central
service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
auth: true

- name: πŸ›  Build snackager
run: skaffold build --filename snackager/skaffold.yaml --file-output snackager/build.json
Expand Down Expand Up @@ -152,6 +152,9 @@ jobs:
if: ${{ github.event.inputs.deploy == 'production' && github.ref == 'refs/heads/main' }}
needs: review
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
environment:
name: snackager-production
url: https://snackager.expo.io/status
Expand All @@ -162,10 +165,7 @@ jobs:
- name: πŸ— Setup Google Cloud SDK
uses: ./.github/actions/setup-google-cloud
with:
project-id: exponentjs
project-zone: us-central1
project-cluster: general-central
service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
auth: true

- name: πŸ›  Build snackager
run: skaffold build --filename snackager/skaffold.yaml --file-output snackager/build.json
Expand Down
24 changes: 12 additions & 12 deletions .github/workflows/snackpub.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,17 +60,17 @@ jobs:
build:
if: ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: πŸ— Setup repository
uses: actions/checkout@v3

- name: πŸ— Setup Google Cloud SDK
uses: ./.github/actions/setup-google-cloud
with:
project-id: exponentjs
project-zone: us-central1
project-cluster: general-central
service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
auth: true

- name: πŸ›  Build snackpub
run: skaffold build --filename snackpub/skaffold.yaml
Expand All @@ -80,6 +80,9 @@ jobs:
if: ${{ (github.event.inputs.deploy == 'staging' && github.event_name != 'pull_request') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
needs: review
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
environment:
name: snackpub-staging
steps:
Expand All @@ -89,10 +92,7 @@ jobs:
- name: πŸ— Setup Google Cloud SDK
uses: ./.github/actions/setup-google-cloud
with:
project-id: exponentjs
project-zone: us-central1
project-cluster: general-central
service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
auth: true

- name: πŸ›  Build snackpub
run: skaffold build --filename snackpub/skaffold.yaml --file-output /tmp/build.json
Expand Down Expand Up @@ -121,6 +121,9 @@ jobs:
if: ${{ github.event.inputs.deploy == 'production' && github.ref == 'refs/heads/main' }}
needs: review
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
environment:
name: snackpub-production
steps:
Expand All @@ -130,10 +133,7 @@ jobs:
- name: πŸ— Setup Google Cloud SDK
uses: ./.github/actions/setup-google-cloud
with:
project-id: exponentjs
project-zone: us-central1
project-cluster: general-central
service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
auth: true

- name: πŸ›  Build snackpub
run: skaffold build --filename snackpub/skaffold.yaml --file-output /tmp/build.json
Expand Down
24 changes: 12 additions & 12 deletions .github/workflows/website.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,17 +64,17 @@ jobs:
build:
if: ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: πŸ— Setup repository
uses: actions/checkout@v3

- name: πŸ— Setup Google Cloud SDK
uses: ./.github/actions/setup-google-cloud
with:
project-id: exponentjs
project-zone: us-central1
project-cluster: general-central
service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
auth: true

- name: πŸ›  Build website
run: skaffold build --filename website/skaffold.yaml --file-output website/build.json
Expand All @@ -100,6 +100,9 @@ jobs:
if: ${{ (github.event.inputs.deploy == 'staging' && github.event_name != 'pull_request') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
needs: review
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
environment:
name: website-staging
url: https://staging-snack.expo.dev
Expand All @@ -110,10 +113,7 @@ jobs:
- name: πŸ— Setup Google Cloud SDK
uses: ./.github/actions/setup-google-cloud
with:
project-id: exponentjs
project-zone: us-central1
project-cluster: general-central
service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
auth: true

- name: πŸ›  Build website
run: skaffold build --filename website/skaffold.yaml --file-output website/build.json
Expand Down Expand Up @@ -146,6 +146,9 @@ jobs:
if: ${{ github.event.inputs.deploy == 'production' && github.ref == 'refs/heads/main' }}
needs: review
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
environment:
name: website-production
url: https://snack.expo.dev
Expand All @@ -156,10 +159,7 @@ jobs:
- name: πŸ— Setup Google Cloud SDK
uses: ./.github/actions/setup-google-cloud
with:
project-id: exponentjs
project-zone: us-central1
project-cluster: general-central
service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
auth: true

- name: πŸ›  Build website
run: skaffold build --filename website/skaffold.yaml --file-output website/build.json
Expand Down

0 comments on commit 15cac89

Please sign in to comment.