Skip to content

Commit 2bc4535

Browse files
rmgpintormgpinto
committed
Changed github actions to used OIDC
ref https://linear.app/ghost/issue/AP-1070 - Changed github actions to use OIDC. This will prevent leaked security credentials to compromise our infrastructure in GCP.
1 parent be7b46e commit 2bc4535

File tree

1 file changed

+36
-18
lines changed

1 file changed

+36
-18
lines changed

.github/workflows/build.yml

Lines changed: 36 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ on:
77
branches:
88
- main
99

10+
permissions:
11+
id-token: write
12+
contents: read
13+
1014
jobs:
1115
lint:
1216
name: Lint
@@ -48,7 +52,7 @@ jobs:
4852
- name: "Checkout"
4953
uses: actions/checkout@v4
5054

51-
- name: ActivityPub Docker meta
55+
- name: "ActivityPub Docker meta"
5256
id: activitypub-docker-metadata
5357
uses: docker/metadata-action@v5
5458
with:
@@ -63,7 +67,7 @@ jobs:
6367
type=semver,pattern={{major}}
6468
type=sha,priority=1100
6569
66-
- name: Migrations Docker meta
70+
- name: "Migrations Docker meta"
6771
id: migrations-docker-metadata
6872
uses: docker/metadata-action@v5
6973
with:
@@ -95,12 +99,20 @@ jobs:
9599
- name: "Run Tests"
96100
run: yarn test
97101

102+
- name: "Authenticate with GCP"
103+
id: gcp-auth
104+
uses: google-github-actions/auth@v2
105+
with:
106+
token_format: access_token
107+
workload_identity_provider: projects/687476608778/locations/global/workloadIdentityPools/github-oidc-activitypub/providers/github-provider-activitypub
108+
service_account: stg-activitypub-github-cicd@ghost-activitypub.iam.gserviceaccount.com
109+
98110
- name: "Login to GCP Artifact Registry"
99111
uses: docker/login-action@v3
100112
with:
101113
registry: europe-docker.pkg.dev
102-
username: _json_key
103-
password: ${{ secrets.GCP_DEPLOYER_SERVICE_ACCOUNT_KEY }}
114+
username: oauth2accesstoken
115+
password: ${{ steps.gcp-auth.outputs.access_token }}
104116

105117
- name: "Push ActivityPub Docker Image"
106118
uses: docker/build-push-action@v6
@@ -138,25 +150,28 @@ jobs:
138150
- region: europe-west3
139151
region_name: frankfurt
140152
steps:
141-
- name: "Auth with Google Cloud"
142-
uses: "google-github-actions/auth@v2"
153+
- name: "Authenticate with GCP"
154+
id: gcp-auth
155+
uses: google-github-actions/auth@v2
143156
with:
144-
credentials_json: ${{ secrets.GCP_DEPLOYER_SERVICE_ACCOUNT_KEY }}
157+
token_format: access_token
158+
workload_identity_provider: projects/687476608778/locations/global/workloadIdentityPools/github-oidc-activitypub/providers/github-provider-activitypub
159+
service_account: stg-activitypub-github-cicd@ghost-activitypub.iam.gserviceaccount.com
145160

146161
- name: "Deploy Migrations to Cloud Run"
147162
if: ${{ matrix.region == 'europe-west4' }}
148-
uses: "google-github-actions/deploy-cloudrun@v2"
163+
uses: google-github-actions/deploy-cloudrun@v2
149164
with:
150165
image: europe-docker.pkg.dev/ghost-activitypub/activitypub/migrations:${{ needs.build-test-push.outputs.migrations_docker_version }}
151166
region: ${{ matrix.region }}
152167
job: stg-${{ matrix.region_name }}-activitypub-migrations
153-
flags: "--wait --execute-now"
168+
flags: --wait --execute-now
154169
skip_default_labels: true
155170
labels: |-
156171
commit-sha=${{ github.sha }}
157172
158173
- name: "Deploy ActivityPub Queue to Cloud Run"
159-
uses: "google-github-actions/deploy-cloudrun@v2"
174+
uses: google-github-actions/deploy-cloudrun@v2
160175
with:
161176
image: europe-docker.pkg.dev/ghost-activitypub/activitypub/activitypub:${{ needs.build-test-push.outputs.activitypub_docker_version }}
162177
region: ${{ matrix.region }}
@@ -166,7 +181,7 @@ jobs:
166181
commit-sha=${{ github.sha }}
167182
168183
- name: "Deploy ActivityPub API to Cloud Run"
169-
uses: "google-github-actions/deploy-cloudrun@v2"
184+
uses: google-github-actions/deploy-cloudrun@v2
170185
with:
171186
image: europe-docker.pkg.dev/ghost-activitypub/activitypub/activitypub:${{ needs.build-test-push.outputs.activitypub_docker_version }}
172187
region: ${{ matrix.region }}
@@ -190,25 +205,28 @@ jobs:
190205
- region: europe-west3
191206
region_name: frankfurt
192207
steps:
193-
- name: "Auth with Google Cloud"
194-
uses: "google-github-actions/auth@v2"
208+
- name: "Authenticate with GCP"
209+
id: gcp-auth
210+
uses: google-github-actions/auth@v2
195211
with:
196-
credentials_json: ${{ secrets.GCP_DEPLOYER_SERVICE_ACCOUNT_KEY }}
212+
token_format: access_token
213+
workload_identity_provider: projects/687476608778/locations/global/workloadIdentityPools/github-oidc-activitypub/providers/github-provider-activitypub
214+
service_account: prd-activitypub-github-cicd@ghost-activitypub.iam.gserviceaccount.com
197215

198216
- name: "Deploy Migrations to Cloud Run"
199217
if: ${{ matrix.region == 'europe-west4' }}
200-
uses: "google-github-actions/deploy-cloudrun@v2"
218+
uses: google-github-actions/deploy-cloudrun@v2
201219
with:
202220
image: europe-docker.pkg.dev/ghost-activitypub/activitypub/migrations:${{ needs.build-test-push.outputs.migrations_docker_version }}
203221
region: ${{ matrix.region }}
204222
job: prd-${{ matrix.region_name }}-activitypub-migrations
205-
flags: "--wait --execute-now"
223+
flags: --wait --execute-now
206224
skip_default_labels: true
207225
labels: |-
208226
commit-sha=${{ github.sha }}
209227
210228
- name: "Deploy ActivityPub Queue to Cloud Run"
211-
uses: "google-github-actions/deploy-cloudrun@v2"
229+
uses: google-github-actions/deploy-cloudrun@v2
212230
with:
213231
image: europe-docker.pkg.dev/ghost-activitypub/activitypub/activitypub:${{ needs.build-test-push.outputs.activitypub_docker_version }}
214232
region: ${{ matrix.region }}
@@ -218,7 +236,7 @@ jobs:
218236
commit-sha=${{ github.sha }}
219237
220238
- name: "Deploy ActivityPub API to Cloud Run"
221-
uses: "google-github-actions/deploy-cloudrun@v2"
239+
uses: google-github-actions/deploy-cloudrun@v2
222240
with:
223241
image: europe-docker.pkg.dev/ghost-activitypub/activitypub/activitypub:${{ needs.build-test-push.outputs.activitypub_docker_version }}
224242
region: ${{ matrix.region }}

0 commit comments

Comments
 (0)