Changed github actions to used OIDC

rmgpinto · rmgpinto · commit b2fd3de64783 · 2025-04-14T12:48:32.000+01:00
ref https://linear.app/ghost/issue/AP-1070 - Changed github actions to use OIDC. This will prevent leaked security credentials to compromise our infrastructure in GCP.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,6 +7,10 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   lint:
     name: Lint
@@ -95,12 +99,20 @@ jobs:
       - name: "Run Tests"
         run: yarn test
 
+      - name: "Authenticate with GCP"
+        id: gcp-auth
+        uses: google-github-actions/auth@v2
+        with:
+          token_format: access_token
+          workload_identity_provider: projects/687476608778/locations/global/workloadIdentityPools/github-oidc-activitypub/providers/github-provider-activitypub
+          service_account: stg-activitypub-github-cicd@ghost-activitypub.iam.gserviceaccount.com
+
       - name: "Login to GCP Artifact Registry"
         uses: docker/login-action@v3
         with:
           registry: europe-docker.pkg.dev
-          username: _json_key
-          password: ${{ secrets.GCP_DEPLOYER_SERVICE_ACCOUNT_KEY }}
+          username: oauth2accesstoken
+          password: ${{ steps.gcp-auth.outputs.access_token }}
 
       - name: "Push ActivityPub Docker Image"
         uses: docker/build-push-action@v6
@@ -138,14 +150,17 @@ jobs:
           - region: europe-west3
             region_name: frankfurt
     steps:
-      - name: "Auth with Google Cloud"
-        uses: "google-github-actions/auth@v2"
+      - name: "Authenticate with GCP"
+        id: gcp-auth
+        uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_DEPLOYER_SERVICE_ACCOUNT_KEY }}
+          token_format: access_token
+          workload_identity_provider: projects/687476608778/locations/global/workloadIdentityPools/github-oidc-activitypub/providers/github-provider-activitypub
+          service_account: stg-activitypub-github-cicd@ghost-activitypub.iam.gserviceaccount.com
 
       - name: "Deploy Migrations to Cloud Run"
         if: ${{ matrix.region == 'europe-west4' }}
-        uses: "google-github-actions/deploy-cloudrun@v2"
+        uses: google-github-actions/deploy-cloudrun@v2
         with:
           image: europe-docker.pkg.dev/ghost-activitypub/activitypub/migrations:${{ needs.build-test-push.outputs.migrations_docker_version }}
           region: ${{ matrix.region }}
@@ -156,7 +171,7 @@ jobs:
             commit-sha=${{ github.sha }}
 
       - name: "Deploy ActivityPub Queue to Cloud Run"
-        uses: "google-github-actions/deploy-cloudrun@v2"
+        uses: google-github-actions/deploy-cloudrun@v2
         with:
           image: europe-docker.pkg.dev/ghost-activitypub/activitypub/activitypub:${{ needs.build-test-push.outputs.activitypub_docker_version }}
           region: ${{ matrix.region }}
@@ -166,7 +181,7 @@ jobs:
             commit-sha=${{ github.sha }}
 
       - name: "Deploy ActivityPub API to Cloud Run"
-        uses: "google-github-actions/deploy-cloudrun@v2"
+        uses: google-github-actions/deploy-cloudrun@v2
         with:
           image: europe-docker.pkg.dev/ghost-activitypub/activitypub/activitypub:${{ needs.build-test-push.outputs.activitypub_docker_version }}
           region: ${{ matrix.region }}
@@ -190,14 +205,17 @@ jobs:
           - region: europe-west3
             region_name: frankfurt
     steps:
-      - name: "Auth with Google Cloud"
-        uses: "google-github-actions/auth@v2"
+      - name: "Authenticate with GCP"
+        id: gcp-auth
+        uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_DEPLOYER_SERVICE_ACCOUNT_KEY }}
+          token_format: access_token
+          workload_identity_provider: projects/687476608778/locations/global/workloadIdentityPools/github-oidc-activitypub/providers/github-provider-activitypub
+          service_account: prd-activitypub-github-cicd@ghost-activitypub.iam.gserviceaccount.com
 
       - name: "Deploy Migrations to Cloud Run"
         if: ${{ matrix.region == 'europe-west4' }}
-        uses: "google-github-actions/deploy-cloudrun@v2"
+        uses: google-github-actions/deploy-cloudrun@v2
         with:
           image: europe-docker.pkg.dev/ghost-activitypub/activitypub/migrations:${{ needs.build-test-push.outputs.migrations_docker_version }}
           region: ${{ matrix.region }}
@@ -208,7 +226,7 @@ jobs:
             commit-sha=${{ github.sha }}
 
       - name: "Deploy ActivityPub Queue to Cloud Run"
-        uses: "google-github-actions/deploy-cloudrun@v2"
+        uses: google-github-actions/deploy-cloudrun@v2
         with:
           image: europe-docker.pkg.dev/ghost-activitypub/activitypub/activitypub:${{ needs.build-test-push.outputs.activitypub_docker_version }}
           region: ${{ matrix.region }}
@@ -218,7 +236,7 @@ jobs:
             commit-sha=${{ github.sha }}
 
       - name: "Deploy ActivityPub API to Cloud Run"
-        uses: "google-github-actions/deploy-cloudrun@v2"
+        uses: google-github-actions/deploy-cloudrun@v2
         with:
           image: europe-docker.pkg.dev/ghost-activitypub/activitypub/activitypub:${{ needs.build-test-push.outputs.activitypub_docker_version }}
           region: ${{ matrix.region }}
