From 3b50bc9991cb5590edacd61c23a02dcf9b4f7537 Mon Sep 17 00:00:00 2001 From: KIDI'S-TECH <146373396+KidiIT@users.noreply.github.com> Date: Sat, 6 Jan 2024 06:47:42 +0100 Subject: [PATCH] Update google-cloudrun-source.yml --- .github/workflows/google-cloudrun-source.yml | 60 ++------------------ 1 file changed, 6 insertions(+), 54 deletions(-) diff --git a/.github/workflows/google-cloudrun-source.yml b/.github/workflows/google-cloudrun-source.yml index 96a8385..f7aee0e 100644 --- a/.github/workflows/google-cloudrun-source.yml +++ b/.github/workflows/google-cloudrun-source.yml @@ -1,49 +1,3 @@ -# This workflow will deploy source code on Cloud Run when a commit is pushed to the "main" branch -# -# Overview: -# -# 1. Authenticate to Google Cloud -# 2. Deploy it to Cloud Run -# -# To configure this workflow: -# -# 1. Ensure the required Google Cloud APIs are enabled: -# -# Cloud Run run.googleapis.com -# Cloud Build cloudbuild.googleapis.com -# Artifact Registry artifactregistry.googleapis.com -# -# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) -# -# 3. Ensure the required IAM permissions are granted -# -# Cloud Run -# roles/run.admin -# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) -# -# Cloud Build -# roles/cloudbuild.builds.editor -# -# Cloud Storage -# roles/storage.objectAdmin -# -# Artifact Registry -# roles/artifactregistry.admin (project or repository level) -# -# NOTE: You should always follow the principle of least privilege when assigning IAM roles -# -# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT -# -# 5. Change the values for the SERVICE and REGION environment variables (below). -# -# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run -# -# Further reading: -# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy -# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege - name: Deploy to Cloud Run from Source on: @@ -51,9 +5,9 @@ on: branches: [ "main" ] env: - PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id - SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name - REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + PROJECT_ID: YOUR_PROJECT_ID + SERVICE: YOUR_SERVICE_NAME + REGION: YOUR_SERVICE_REGION jobs: deploy: @@ -71,12 +25,10 @@ jobs: id: auth uses: 'google-github-actions/auth@v0' with: - workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider - service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' - # NOTE: Alternative option - authentication via credentials json - # - name: Google Auth - # id: auth + # uses: 'google-github-actions/auth@v0' # with: # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'