From 8a2b61356d214e41654b90f6519f870af9fbe7fb Mon Sep 17 00:00:00 2001
From: Nashwan Azhari <nazhari@cloudbasesolutions.com>
Date: Fri, 24 Dec 2021 10:25:45 +0200
Subject: [PATCH] Integration: Switch to using `auth` Gcloud action in Windows
 workflow.

Following the forking of `github-google-actions/setup-gcloud` into
individual actions, the functionality for authenticating on Google
Cloud within GitHub workflows has been moved to the
`github-google-actions/auth` action.

This patch updates the Windows Periodic Integration test workflow to use
the new `auth` action, as well as switching to using Workload Identity
Federation-based authorization which is superseding the Service Account
Key-based authorization the Windows Periodic workflow was using thus far.

Signed-off-by: Nashwan Azhari <nazhari@cloudbasesolutions.com>
---
 .../workflows/windows-periodic-trigger.yml    |  4 +--
 .github/workflows/windows-periodic.yml        | 26 ++++++++++++-------
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/windows-periodic-trigger.yml b/.github/workflows/windows-periodic-trigger.yml
index faed254bf..302d4050a 100644
--- a/.github/workflows/windows-periodic-trigger.yml
+++ b/.github/workflows/windows-periodic-trigger.yml
@@ -21,5 +21,5 @@ jobs:
     secrets:
       AZURE_SUB_ID: "${{ secrets.AZURE_SUB_ID }}"
       AZURE_CREDS: "${{ secrets.AZURE_CREDS }}"
-      GCP_PROJECT_ID: "${{ secrets.GCP_PROJECT_ID }}"
-      GCP_SA_KEY: "${{ secrets.GCP_SA_KEY }}"
+      GCP_SERVICE_ACCOUNT: "${{ secrets.GCP_SERVICE_ACCOUNT }}"
+      GCP_WORKLOAD_IDENTITY_PROVIDER: "${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}"
diff --git a/.github/workflows/windows-periodic.yml b/.github/workflows/windows-periodic.yml
index 4299de7db..176735a25 100644
--- a/.github/workflows/windows-periodic.yml
+++ b/.github/workflows/windows-periodic.yml
@@ -10,9 +10,9 @@ on:
         required: true
       AZURE_CREDS:
         required: true
-      GCP_PROJECT_ID:
+      GCP_SERVICE_ACCOUNT:
         required: true
-      GCP_SA_KEY:
+      GCP_WORKLOAD_IDENTITY_PROVIDER:
         required: true
 
 env:
@@ -30,6 +30,10 @@ env:
 
 jobs:
   winIntegration:
+    # NOTE: the following permissions are required by `google-github-actions/auth`:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     strategy:
       matrix:
         win_ver: [ltsc2019, ltsc2022]
@@ -197,16 +201,18 @@ jobs:
       - name: AssignGcpCreds
         id: AssignGcpCreds
         run: |
-          echo '::set-output name=GCP_PROJECT_ID::${{ secrets.GCP_PROJECT_ID }}'
-          echo '::set-output name=GCP_SA_KEY::${{ secrets.GCP_SA_KEY }}'
+          echo '::set-output name=GCP_SERVICE_ACCOUNT::${{ secrets.GCP_SERVICE_ACCOUNT }}'
+          echo '::set-output name=GCP_WORKLOAD_IDENTITY_PROVIDER::${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}'
 
-      - name: SetUpCloudSDK
-        if: steps.AssignGcpCreds.outputs.GCP_PROJECT_ID && steps.AssignGcpCreds.outputs.GCP_SA_KEY
-        uses: google-github-actions/setup-gcloud@master
+      - name: AuthGcp
+        uses: google-github-actions/auth@v0
+        if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER
         with:
-          project_id: ${{ secrets.GCP_PROJECT_ID }}
-          service_account_key: ${{ secrets.GCP_SA_KEY }}
-          export_default_credentials: true
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+
+      - name: SetUpGcpSdk
+        uses: google-github-actions/setup-gcloud@master
 
       - name: UploadArtifacts
         if: steps.AssignGcpCreds.outputs.GCP_PROJECT_ID && steps.AssignGcpCreds.outputs.GCP_SA_KEY