From d85cd40b4367348c873714f34cbe5b4c7544153f Mon Sep 17 00:00:00 2001 From: AdamHawtin Date: Wed, 28 Feb 2024 13:25:16 +0000 Subject: [PATCH] Update Github Action to use WIF auth --- .github/workflows/checks-and-tests.yml | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/.github/workflows/checks-and-tests.yml b/.github/workflows/checks-and-tests.yml index 3157126..020e93d 100644 --- a/.github/workflows/checks-and-tests.yml +++ b/.github/workflows/checks-and-tests.yml @@ -10,25 +10,39 @@ jobs: python-tests: runs-on: ubuntu-latest + # Add "id-token" with the required permissions. + permissions: + contents: 'read' + id-token: 'write' + steps: - name: Checkout uses: actions/checkout@v3 + # Authenticate with Google Cloud to acquire an access token + - id: auth + name: Authenticate to Google Cloud + uses: google-github-actions/auth@v1 + with: + token_format: 'access_token' + workload_identity_provider: ${{ secrets.WIF_PROVIDER }} + service_account: ${{ secrets.SERVICE_ACCOUNT }} + # Authenticating with Dockerhub ensures image pulls are authenticated, so not as severely rate limited - name: Log in to Dockerhub - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} # Also log docker in to GCP artifact registry, to allow image pulls from our private registries - name: Log in to Google Docker Artifact Registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: europe-west2-docker.pkg.dev - username: _json_key - password: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_KEY }} + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} - name: Set up Python "3.11" uses: actions/setup-python@v4