chore(ci): Google Cloud Workload Identity Federation

expo · Mar 6, 2024 · 2c1ccb2 · 2c1ccb2
1 parent 20797c8
commit 2c1ccb2
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 31 deletions.
diff --git a/.github/actions/setup-google-cloud/action.yml b/.github/actions/setup-google-cloud/action.yml
@@ -14,36 +14,23 @@ inputs:
     description: Google Cloud SDK container cluster
     default: general-central
 
-  service-key:
-    description: Google Cloud SDK service_account_key
-    default: ''
-
-  export-default-credentials:
-    type: boolean
-    description: If it should export the default credentials
-    default: true
-
 runs:
   using: composite
   steps:
-    - name: 🏗 Setup Google Cloud SDK with auth
-      if: ${{ inputs.service-key != '' }}
-      uses: google-github-actions/setup-gcloud@94337306dda8180d967a56932ceb4ddcf01edae7
+    - name: 🏗 Authenticate to Google Cloud
+      if: ${{ inputs.project-id != '' }}
+      uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c
       with:
         project_id: ${{ inputs.project-id }}
-        service_account_key: ${{ inputs.service-key }}
-        export_default_credentials: ${{ inputs.export-default-credentials }}
-
-    - name: 🏗 Setup Google Cloud SDK without auth
-      if: ${{ inputs.service-key == '' }}
-      uses: google-github-actions/setup-gcloud@94337306dda8180d967a56932ceb4ddcf01edae7
+        workload_identity_provider: projects/321830142373/locations/global/workloadIdentityPools/github/providers/expo
 
-    - name: 📦 Install Google Cloud SDK components
-      run: gcloud components install kubectl kustomize skaffold
-      shell: bash
+    - name: 📦 Setup Google Cloud SDK
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200
+      with:
+        install_components: kubectl,kustomize,skaffold
 
     - name: ⚙️ Configure Google Cloud SDK
-      if: ${{ inputs.service-key != '' }}
+      if: ${{ inputs.project-id != '' }}
       run: |
         gcloud config set project ${{ inputs.project-id }}
         gcloud config set compute/zone ${{ inputs.project-zone }}

diff --git a/.github/workflows/snackager.yml b/.github/workflows/snackager.yml
@@ -86,6 +86,9 @@ jobs:
   build:
     if: ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
@@ -96,7 +99,6 @@ jobs:
           project-id: exponentjs
           project-zone: us-central1
           project-cluster: general-central
-          service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
 
       - name: 🛠 Build snackager
         run: skaffold build --filename snackager/skaffold.yaml --file-output snackager/build.json
@@ -106,6 +108,9 @@ jobs:
     if: ${{ (github.event.inputs.deploy == 'staging' && github.event_name != 'pull_request') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
     needs: review
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     environment:
       name: snackager-staging
       url: https://staging.snackager.expo.io/status
@@ -119,7 +124,6 @@ jobs:
           project-id: exponentjs
           project-zone: us-central1
           project-cluster: general-central
-          service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
 
       - name: 🛠 Build snackager
         run: skaffold build --filename snackager/skaffold.yaml --file-output snackager/build.json
@@ -156,6 +160,9 @@ jobs:
     if: ${{ github.event.inputs.deploy == 'production' && github.ref == 'refs/heads/main' }}
     needs: review
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     environment:
       name: snackager-production
       url: https://snackager.expo.io/status
@@ -169,7 +176,6 @@ jobs:
           project-id: exponentjs
           project-zone: us-central1
           project-cluster: general-central
-          service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
 
       - name: 🛠 Build snackager
         run: skaffold build --filename snackager/skaffold.yaml --file-output snackager/build.json

diff --git a/.github/workflows/snackpub.yml b/.github/workflows/snackpub.yml
@@ -60,6 +60,9 @@ jobs:
   build:
     if: ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
@@ -70,7 +73,6 @@ jobs:
           project-id: exponentjs
           project-zone: us-central1
           project-cluster: general-central
-          service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
 
       - name: 🛠 Build snackpub
         run: skaffold build --filename snackpub/skaffold.yaml
@@ -80,6 +82,9 @@ jobs:
     if: ${{ (github.event.inputs.deploy == 'staging' && github.event_name != 'pull_request') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
     needs: review
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     environment:
       name: snackpub-staging
     steps:
@@ -92,7 +97,6 @@ jobs:
           project-id: exponentjs
           project-zone: us-central1
           project-cluster: general-central
-          service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
 
       - name: 🛠 Build snackpub
         run: skaffold build --filename snackpub/skaffold.yaml --file-output /tmp/build.json
@@ -125,6 +129,9 @@ jobs:
     if: ${{ github.event.inputs.deploy == 'production' && github.ref == 'refs/heads/main' }}
     needs: review
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     environment:
       name: snackpub-production
     steps:
@@ -137,7 +144,6 @@ jobs:
           project-id: exponentjs
           project-zone: us-central1
           project-cluster: general-central
-          service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
 
       - name: 🛠 Build snackpub
         run: skaffold build --filename snackpub/skaffold.yaml --file-output /tmp/build.json

diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
@@ -64,6 +64,9 @@ jobs:
   build:
     if: ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
@@ -74,7 +77,6 @@ jobs:
           project-id: exponentjs
           project-zone: us-central1
           project-cluster: general-central
-          service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
 
       - name: 🛠 Build website
         run: skaffold build --filename website/skaffold.yaml --file-output website/build.json
@@ -100,6 +102,9 @@ jobs:
     if: ${{ (github.event.inputs.deploy == 'staging' && github.event_name != 'pull_request') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
     needs: review
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     environment:
       name: website-staging
       url: https://staging-snack.expo.dev
@@ -113,7 +118,6 @@ jobs:
           project-id: exponentjs
           project-zone: us-central1
           project-cluster: general-central
-          service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
 
       - name: 🛠 Build website
         run: skaffold build --filename website/skaffold.yaml --file-output website/build.json
@@ -150,6 +154,9 @@ jobs:
     if: ${{ github.event.inputs.deploy == 'production' && github.ref == 'refs/heads/main' }}
     needs: review
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     environment:
       name: website-production
       url: https://snack.expo.dev
@@ -163,7 +170,6 @@ jobs:
           project-id: exponentjs
           project-zone: us-central1
           project-cluster: general-central
-          service-key: ${{ secrets.SNACK_GCLOUD_KEY }}
 
       - name: 🛠 Build website
         run: skaffold build --filename website/skaffold.yaml --file-output website/build.json