Integration: Switch to using auth Gcloud action in Windows workflow.

Following the forking of `github-google-actions/setup-gcloud` into individual actions, the functionality for authenticating on Google Cloud within GitHub workflows has been moved to the `github-google-actions/auth` action. This patch updates the Windows Periodic Integration test workflow to use the new `auth` action, as well as switching to using Workload Identity Federation-based authorization which is superseding the Service Account Key-based authorization the Windows Periodic workflow was using thus far. Signed-off-by: Nashwan Azhari <nazhari@cloudbasesolutions.com>
2021-12-24 10:25:45 +02:00 · 2021-12-24 10:25:45 +02:00 · 8a2b61356d
commit 8a2b61356d
parent bce18cb04f
2 changed files with 18 additions and 12 deletions
--- a/.github/workflows/windows-periodic-trigger.yml
+++ b/.github/workflows/windows-periodic-trigger.yml
@ -21,5 +21,5 @@ jobs:
    secrets:
      AZURE_SUB_ID: "${{ secrets.AZURE_SUB_ID }}"
      AZURE_CREDS: "${{ secrets.AZURE_CREDS }}"
-      GCP_PROJECT_ID: "${{ secrets.GCP_PROJECT_ID }}"
-      GCP_SA_KEY: "${{ secrets.GCP_SA_KEY }}"
+      GCP_SERVICE_ACCOUNT: "${{ secrets.GCP_SERVICE_ACCOUNT }}"
+      GCP_WORKLOAD_IDENTITY_PROVIDER: "${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}"
--- a/.github/workflows/windows-periodic.yml
+++ b/.github/workflows/windows-periodic.yml
@ -10,9 +10,9 @@ on:
        required: true
      AZURE_CREDS:
        required: true
-      GCP_PROJECT_ID:
+      GCP_SERVICE_ACCOUNT:
        required: true
-      GCP_SA_KEY:
+      GCP_WORKLOAD_IDENTITY_PROVIDER:
        required: true

 env:
@ -30,6 +30,10 @@ env:

 jobs:
  winIntegration:
+    # NOTE: the following permissions are required by `google-github-actions/auth`:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
    strategy:
      matrix:
        win_ver: [ltsc2019, ltsc2022]
@ -197,16 +201,18 @@ jobs:
      - name: AssignGcpCreds
        id: AssignGcpCreds
        run: |
-          echo '::set-output name=GCP_PROJECT_ID::${{ secrets.GCP_PROJECT_ID }}'
-          echo '::set-output name=GCP_SA_KEY::${{ secrets.GCP_SA_KEY }}'
+          echo '::set-output name=GCP_SERVICE_ACCOUNT::${{ secrets.GCP_SERVICE_ACCOUNT }}'
+          echo '::set-output name=GCP_WORKLOAD_IDENTITY_PROVIDER::${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}'

-      - name: SetUpCloudSDK
-        if: steps.AssignGcpCreds.outputs.GCP_PROJECT_ID && steps.AssignGcpCreds.outputs.GCP_SA_KEY
-        uses: google-github-actions/setup-gcloud@master
+      - name: AuthGcp
+        uses: google-github-actions/auth@v0
+        if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER
        with:
-          project_id: ${{ secrets.GCP_PROJECT_ID }}
-          service_account_key: ${{ secrets.GCP_SA_KEY }}
-          export_default_credentials: true
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+
+      - name: SetUpGcpSdk
+        uses: google-github-actions/setup-gcloud@master

      - name: UploadArtifacts
        if: steps.AssignGcpCreds.outputs.GCP_PROJECT_ID && steps.AssignGcpCreds.outputs.GCP_SA_KEY