Merge dev into master

.github/scripts/publish_preflight_check.sh

@@ -64,7 +64,7 @@ if [[ ! "${RELEASE_VERSION}" =~ ^([0-9]*)\.([0-9]*)\.([0-9]*)$ ]]; then
 fi
 
 echo_info "Extracted release version: ${RELEASE_VERSION}"
-echo "::set-output name=version::v${RELEASE_VERSION}"
+echo "version=v${RELEASE_VERSION}" >> $GITHUB_OUTPUT
 
 
 echo_info ""
@@ -108,13 +108,13 @@ readonly CHANGELOG=`${CURRENT_DIR}/generate_changelog.sh`
 echo "$CHANGELOG"
 
 # Parse and preformat the text to handle multi-line output.
-# See https://github.community/t5/GitHub-Actions/set-output-Truncates-Multiline-Strings/td-p/37870
+# See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-a-multiline-string
+# and https://github.com/github/docs/issues/21529#issue-1418590935
 FILTERED_CHANGELOG=`echo "$CHANGELOG" | grep -v "\\[INFO\\]"`
-FILTERED_CHANGELOG="${FILTERED_CHANGELOG//'%'/'%25'}"
-FILTERED_CHANGELOG="${FILTERED_CHANGELOG//$'\n'/'%0A'}"
-FILTERED_CHANGELOG="${FILTERED_CHANGELOG//$'\r'/'%0D'}"
-echo "::set-output name=changelog::${FILTERED_CHANGELOG}"
-
+FILTERED_CHANGELOG="${FILTERED_CHANGELOG//$'\''/'"'}"
+echo "changelog<<CHANGELOGEOF" >> $GITHUB_OUTPUT
+echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT
+echo "CHANGELOGEOF" >> $GITHUB_OUTPUT
 
 echo ""
 echo_info "--------------------------------------------"

.github/workflows/ci.yml

@@ -8,20 +8,20 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go: [1.17, 1.18, 1.19]
+        go: ['1.20', '1.21', '1.22']
 
     steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
     - name: Set up Go ${{ matrix.go }}
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v5
       with:
         go-version: ${{ matrix.go }}
 
     - name: Install golint
       run: go install golang.org/x/lint/golint@latest
 
-    - name: Check out code
-      uses: actions/checkout@v2
-
     - name: Run Linter
       run: |
         golint -set_exit_status ./...

.github/workflows/nightly.yml

@@ -28,19 +28,19 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.client_payload.ref || github.ref }}
+
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v5
       with:
-        go-version: 1.17
+        go-version: '1.20'
 
     - name: Install golint
       run: go install golang.org/x/lint/golint@latest
 
-    - name: Check out code
-      uses: actions/checkout@v2
-      with:
-        ref: ${{ github.event.client_payload.ref || github.ref }}
-
     - name: Run Linter
       run: |
         golint -set_exit_status ./...

.github/workflows/release.yml

@@ -39,19 +39,19 @@ jobs:
     # When manually triggering the build, the requester can specify a target branch or a tag
     # via the 'ref' client parameter.
     steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.client_payload.ref || github.ref }}
+
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v5
       with:
-        go-version: 1.17
+        go-version: '1.20'
 
     - name: Install golint
       run: go install golang.org/x/lint/golint@latest
 
-    - name: Check out code
-      uses: actions/checkout@v2
-      with:
-        ref: ${{ github.event.client_payload.ref || github.ref }}
-
     - name: Run Linter
       run: |
         golint -set_exit_status ./...
@@ -79,7 +79,7 @@ jobs:
 
     steps:
     - name: Checkout source for publish
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
         persist-credentials: false
 
@@ -89,31 +89,25 @@ jobs:
 
     # We authorize this step with an access token that has write access to the master branch.
     - name: Merge to master
-      uses: actions/github-script@0.9.0
+      uses: actions/github-script@v7
       with:
         github-token: ${{ secrets.FIREBASE_GITHUB_TOKEN }}
         script: |
-            github.repos.merge({
+            github.rest.repos.merge({
               owner: context.repo.owner,
               repo: context.repo.repo,
               base: 'master',
               head: 'dev'
             })
 
-    # We pull this action from a custom fork of a contributor until
-    # https://github.com/actions/create-release/pull/32 is merged. Also note that v1 of
-    # this action does not support the "body" parameter.
+    # See: https://cli.github.com/manual/gh_release_create
     - name: Create release tag
-      uses: fleskesvor/create-release@1a72e235c178bf2ae6c51a8ae36febc24568c5fe
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        tag_name: ${{ steps.preflight.outputs.version }}
-        release_name: Firebase Admin Go SDK ${{ steps.preflight.outputs.version }}
-        body: ${{ steps.preflight.outputs.changelog }}
-        commitish: master
-        draft: false
-        prerelease: false
+      run: gh release create ${{ steps.preflight.outputs.version }}
+            --title "Firebase Admin Go SDK ${{ steps.preflight.outputs.version }}"
+            --notes '${{ steps.preflight.outputs.changelog }}'
+            --target "master"
 
     # Post to Twitter if explicitly opted-in by adding the label 'release:tweet'.
     - name: Post to Twitter

CONTRIBUTING.md

@@ -115,35 +115,89 @@ the integration tests, and only execute the unit tests.
 
 ### Integration Testing
 
-A suite of integration tests are available in the Admin SDK source code.
-These tests are designed to run against an actual Firebase project. Create a new
-project in the [Firebase Console](https://console.firebase.google.com), if you
-do not already have one suitable for running the tests against. Then obtain the
-following credentials from the project:
-
-1. *Service account certificate*: This can be downloaded as a JSON file from
-   the "Settings > Service Accounts" tab of the Firebase console. Click 
-   "GENERATE NEW PRIVATE KEY" and copy the file into your Go workspace as
-   `src/firebase.google.com/go/testdata/integration_cert.json`.
-2. *Web API key*: This is displayed in the "Settings > General" tab of the
-   console. Copy it and save to a new text file. Copy this text file into
-   your Go workspace as
-   `src/firebase.google.com/go/testdata/integration_apikey.txt`.
-
-You'll also need to grant your service account the 'Firebase Authentication Admin' role. This is
-required to ensure that exported user records contain the password hashes of the user accounts:
-1. Go to [Google Cloud Platform Console / IAM & admin](https://console.cloud.google.com/iam-admin).
-2. Find your service account in the list, and click the 'pencil' icon to edit it's permissions.
-3. Click 'ADD ANOTHER ROLE' and choose 'Firebase Authentication Admin'.
-4. Click 'SAVE'.
-
-Some of the integration tests require an
-[Identity Platform](https://cloud.google.com/identity-platform/) project with multi-tenancy
-[enabled](https://cloud.google.com/identity-platform/docs/multi-tenancy-quickstart#enabling_multi-tenancy).
-An existing Firebase project can be upgraded to an Identity Platform project without losing any
-functionality via the
-[Identity Platform Marketplace Page](https://console.cloud.google.com/customer-identity). Note that
-charges may be incurred for active users beyond the Identity Platform free tier.
+Integration tests are executed against a real life Firebase project. If you do not already
+have one suitable for running the tests against, you can create a new project in the
+[Firebase Console](https://console.firebase.google.com) following the setup guide below.
+If you already have a Firebase project, you'll need to obtain credentials to communicate and
+authorize access to your Firebase project:
+
+
+1. Service account certificate: This allows access to your Firebase project through a service account
+which is required for all integration tests. This can be downloaded as a JSON file from the 
+**Settings > Service Accounts** tab of the Firebase console when you click the
+**Generate new private key** button. Copy the file into the repo so it's available at
+`src/firebase.google.com/go/testdata/integration_cert.json`.
+   > **Note:** Service accounts should be carefully managed and their keys should never be stored in publicly accessible source code or repositories.
+
+
+2. Web API key: This allows for Auth sign-in needed for some Authentication and Tenant Management
+integration tests. This is displayed in the **Settings > General** tab of the Firebase console
+after enabling Authentication as described in the steps below. Copy it and save to a new text
+file at `src/firebase.google.com/go/testdata/integration_apikey.txt`.
+
+
+Set up your Firebase project as follows:
+
+
+1. Enable Authentication:
+   1. Go to the Firebase Console, and select **Authentication** from the **Build** menu.
+   2. Click on **Get Started**.
+   3. Select **Sign-in method > Add new provider > Email/Password** then enable both the
+   **Email/Password** and **Email link (passwordless sign-in)** options.
+
+
+2. Enable Firestore:
+   1. Go to the Firebase Console, and select **Firestore Database** from the **Build** menu.
+   2. Click on the **Create database** button. You can choose to set up Firestore either in
+   the production mode or in the test mode.
+
+
+3. Enable Realtime Database:
+   1. Go to the Firebase Console, and select **Realtime Database** from the **Build** menu.
+   2. Click on the **Create Database** button. You can choose to set up the Realtime Database
+   either in the locked mode or in the test mode.
+
+   > **Note:** Integration tests are not run against the default Realtime Database reference and are
+   instead run against a database created at `https://{PROJECT_ID}.firebaseio.com`.
+   This second Realtime Database reference is created in the following steps.
+
+   3. In the **Data** tab click on the kebab menu (3 dots) and select **Create Database**.
+   4. Enter your Project ID (Found in the **General** tab in **Account Settings**) as the
+   **Realtime Database reference**. Again, you can choose to set up the Realtime Database
+   either in the locked mode or in the test mode.
+
+
+4. Enable Storage:
+   1. Go to the Firebase Console, and select **Storage** from the **Build** menu.
+   2. Click on the **Get started** button. You can choose to set up Cloud Storage
+   either in the production mode or in the test mode.
+
+
+5. Enable the IAM API:
+   1. Go to the [Google Cloud console](https://console.cloud.google.com)
+   and make sure your Firebase project is selected.
+   2. Select **APIs & Services** from the main menu, and click the
+   **ENABLE APIS AND SERVICES** button.
+   3. Search for and enable **Identity and Access Management (IAM) API** by Google Enterprise API.
+
+
+6. Enable Tenant Management:
+   1. Go to
+   [Google Cloud console | Identity Platform](https://console.cloud.google.com/customer-identity/)
+   and if it is not already enabled, click **Enable**.
+   2. Then
+   [enable multi-tenancy](https://cloud.google.com/identity-platform/docs/multi-tenancy-quickstart#enabling_multi-tenancy)
+   for your project.
+
+
+7. Ensure your service account has the **Firebase Authentication Admin** role. This is required
+to ensure that exported user records contain the password hashes of the user accounts:
+   1. Go to [Google Cloud console | IAM & admin](https://console.cloud.google.com/iam-admin).
+   2. Find your service account in the list. If not added click the pencil icon to edit its
+   permissions.
+   3. Click **ADD ANOTHER ROLE** and choose **Firebase Authentication Admin**.
+   4. Click **SAVE**.
+
 
 Now you can invoke the test suite as follows:
 

README.md

@@ -26,14 +26,14 @@ For more information, visit the
 
 ## Installation
 
-The Firebase Admin Go SDK can be installed using the `go install` utility:
+The Firebase Admin Go SDK can be installed using the `go get` utility:
 
 ```
 # Install the latest version:
-go install firebase.google.com/go/v4@latest
+go get firebase.google.com/go/v4@latest
 
 # Or install a specific version:
-go install firebase.google.com/go/v4@4.x.x
+go get firebase.google.com/go/v4@4.x.x
 ```
 
 ## Contributing
@@ -45,9 +45,9 @@ requests, code review feedback, and also pull requests.
 ## Supported Go Versions
 
 The Admin Go SDK is compatible with at least the three most recent, major Go releases.
-We currently support Go v1.17 and higher.
+We currently support Go v1.20 and higher.
 [Continuous integration](https://github.com/firebase/firebase-admin-go/actions) system
-tests the code on Go v1.17 through v1.19.
+tests the code on Go v1.20 through v1.22.
 
 ## Documentation
 

firebase.go

@@ -39,7 +39,7 @@ import (
 var defaultAuthOverrides = make(map[string]interface{})
 
 // Version of the Firebase Go Admin SDK.
-const Version = "4.13.0"
+const Version = "4.14.0"
 
 // firebaseEnvName is the name of the environment variable with the Config.
 const firebaseEnvName = "FIREBASE_CONFIG"

go.mod

@@ -1,38 +1,49 @@
 module firebase.google.com/go/v4
 
-go 1.17
+go 1.20
 
 require (
-	cloud.google.com/go/firestore v1.9.0
-	cloud.google.com/go/storage v1.30.1
+	cloud.google.com/go/firestore v1.15.0
+	cloud.google.com/go/storage v1.40.0
 	github.com/MicahParks/keyfunc v1.9.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
-	github.com/google/go-cmp v0.5.9
-	golang.org/x/oauth2 v0.7.0
-	google.golang.org/api v0.114.0
+	github.com/google/go-cmp v0.6.0
+	golang.org/x/oauth2 v0.18.0
+	google.golang.org/api v0.170.0
 	google.golang.org/appengine/v2 v2.0.2
 )
 
 require (
-	cloud.google.com/go v0.110.0 // indirect
-	cloud.google.com/go/compute v1.19.1 // indirect
+	cloud.google.com/go v0.112.1 // indirect
+	cloud.google.com/go/compute v1.24.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v0.13.0 // indirect
-	cloud.google.com/go/longrunning v0.4.1 // indirect
+	cloud.google.com/go/iam v1.1.7 // indirect
+	cloud.google.com/go/longrunning v0.5.5 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
-	github.com/googleapis/gax-go/v2 v2.8.0 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
-	google.golang.org/grpc v1.56.3 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/net v0.22.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240314234333-6e1732d8331c // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240311132316-a219d84964c2 // indirect
+	google.golang.org/grpc v1.62.1 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 )