Changed github actions to used OIDC

[rmgpinto]

ref https://linear.app/ghost/issue/AP-1070

• Changed github actions to use OIDC. This will prevent leaked security credentials to compromise our infrastructure in GCP.

[coderabbitai]

Walkthrough

The changes update the GitHub Actions workflow by introducing new permissions, specifically granting write access to id-token and read access to contents. A new job step for authenticating with Google Cloud Platform (GCP) has been added, utilizing the google-github-actions/auth@v2 action to obtain an access token through a specified workload identity provider and service account. The previous step for running tests has been commented out, indicating that tests will not be executed in this workflow. Additionally, the method for logging into the GCP Artifact Registry has been modified to use the access token obtained from the new authentication step instead of a secret key, along with updates to the authentication method throughout the workflow to replace the use of a credentials JSON with the new token format and service account details.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b2fd3de and 2bc4535.

📒 Files selected for processing (1)

• .github/workflows/build.yml (8 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Build, Test and Push

🔇 Additional comments (13)

.github/workflows/build.yml (13)

10-13: Enhanced Permissions for OIDC
The new permissions (id-token: write and contents: read) are correctly introduced to support OIDC-based authentication. This minimal permission set aligns well with security best practices and prevents over-privileging the workflow.

---

55-68: ActivityPub Docker Metadata Configuration
The configuration for the “ActivityPub Docker meta” step is well defined. The dynamic tag generation using conditional expressions looks correctly set up for different event types and branches. Please verify that the tag patterns match your versioning strategy, but overall the implementation is solid.

---

70-83: Migrations Docker Metadata Configuration
This section mirrors the ActivityPub metadata configuration for the migrations image. The tag patterns and dynamic evaluations are consistent and should facilitate proper versioning and image tagging.

---

102-108: GCP Authentication with OIDC in Build-Test-Push Job
The authentication step now correctly uses google-github-actions/auth@v2 along with appropriate parameters: token_format, workload_identity_provider, and the staging service account. This update enhances security by eliminating the need for static credentials.

---

114-115: Artifact Registry Login Using Access Token
Updating the login step to pull the access token from the gcp-auth step (with username: oauth2accesstoken) is a secure and efficient approach. This change reduces the reliance on static secrets for authentication.

---

153-159: Staging Deployment: GCP Authentication
The GCP authentication step for the staging deployment job is consistent with the build-test-push job. It properly applies OIDC parameters with the staging service account. This ensures a unified authentication method across different jobs.

---

163-168: Deploy Migrations to Cloud Run (Staging)
The deployment step for migrations includes the flags --wait --execute-now, which ensures that the deployment proceeds synchronously. This configuration looks appropriate for staging.

---

174-174: Deploy ActivityPub Queue (Staging)
The deployment action for the ActivityPub Queue in staging is updated to deploy-cloudrun@v2 and appears to use the correct configuration. Please confirm that the service name and image tags are as intended.

---

184-184: Deploy ActivityPub API (Staging)
This deployment step for the ActivityPub API is aligned with the overall update strategy using OIDC authentication for Cloud Run deployments. No concerns here.

---

208-214: Production: GCP Authentication Update
The production deployment now employs google-github-actions/auth@v2 with OIDC parameters and a production-specific service account (prd-activitypub-github-cicd@ghost-activitypub.iam.gserviceaccount.com). This update is critical for minimizing secret exposure by eliminating the reliance on static credentials.

---

218-223: Deploy Migrations to Cloud Run (Production)
The production migration deployment step includes the necessary flags (--wait --execute-now), ensuring that deployments are executed in a controlled manner. The configuration is consistent with the staging setup.

---

229-229: Deploy ActivityPub Queue (Production)
The production deployment for the ActivityPub Queue is correctly set using the updated deployment action. The consistent configuration reinforces the overall migration to OIDC-based authentication.

---

239-239: Deploy ActivityPub API (Production)
The production API deployment step is properly updated and consistent with the shifts to OIDC authentication. All parameters are as expected for secure and efficient deployment.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between be7b46e and f96cae2.

📒 Files selected for processing (1)

• .github/workflows/build.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/build.yml

104-104: the runner of "google-github-actions/auth@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (3)

.github/workflows/build.yml (3)

10-13: New Permissions Added:
The new permissions (id-token: write and contents: read) are correctly configured to enable OIDC authentication. This configuration helps support secure token-based authentication with GCP.

---

99-101: Test Step Commented Out:
The "Run Tests" step is currently commented out. Please confirm that disabling tests in this workflow is intentional. If tests need to remain active, consider re-enabling this step or moving test execution to another workflow.

---

115-115: Secure Docker Login Update:
The Docker login step now uses the access token from the GCP authentication step (${{ steps.gcp-auth.outputs.access_token }}) as the password. This update enhances security by avoiding the use of static secret keys.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/build.yml (1)

102-108: 🛠️ Refactor suggestion

Upgrade GCP Authentication Action Version

The "Authenticate to GCP" step is currently using google-github-actions/auth@v1. As previously noted and confirmed by static analysis, this version is outdated. For improved security, compatibility, and consistency (given that later deployment steps use auth@v2), please update this step to use version v2. Consider applying the following diff:

-        uses: google-github-actions/auth@v1
+        uses: google-github-actions/auth@v2

This change will ensure that all authentication steps benefit from the latest updates and features.

🧰 Tools

🪛 actionlint (1.7.4)

104-104: the runner of "google-github-actions/auth@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🧹 Nitpick comments (1)

.github/workflows/build.yml (1)

99-101: Consider Clarifying the Disabled Test Step

The "Run Tests" step has been commented out. If this is an intentional decision (e.g., tests are handled in another workflow or are temporarily disabled), please consider adding an inline comment explaining the rationale. Otherwise, re-evaluating whether tests should be re-enabled might help maintain robust CI.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f96cae2 and 6fdbb0e.

📒 Files selected for processing (1)

• .github/workflows/build.yml (3 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/build.yml

104-104: the runner of "google-github-actions/auth@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (1)

.github/workflows/build.yml (1)

10-13: New OIDC Permissions Added

The new permissions block granting id-token: write and contents: read is correctly configured to support the OIDC-based authentication mechanism.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/build.yml (1)

99-101: Commented Out Test Step
The "Run Tests" step has been commented out. Please confirm that skipping tests is intentional for this workflow or add an explanatory comment. Consistency in CI testing is important, and if tests are to be re-enabled later, consider leaving a note or tracking the change in documentation.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6fdbb0e and 26d4d50.

📒 Files selected for processing (1)

• .github/workflows/build.yml (8 hunks)

🔇 Additional comments (4)

.github/workflows/build.yml (4)

10-12: Explicit OIDC Permissions Added
The new permissions block specifying id-token: write and contents: read is correctly added. This setting is essential to enable OIDC-based authentication and ensures that the workflow can request and use the ID token.

---

102-108: GCP Authentication via OIDC in Build Job
The "Authenticate to GCP" step now uses google-github-actions/auth@v2 with the correct parameters (token_format: access_token, workload_identity_provider, and service_account). This update aligns well with the PR objectives to leverage OIDC for enhanced security.

---

115-115: Artifact Registry Login Updated
Replacing the previous secret key with the access token from the authentication step (${{ steps.gcp-auth.outputs.access_token }}) for logging into GCP Artifact Registry is a strong security improvement and aligns with best practices.

---

154-158: Consistent OIDC Authentication in Staging Deploy
The "Auth with Google Cloud" step in the deploy-staging job correctly uses the updated OIDC-based approach with google-github-actions/auth@v2. The use of token_format: access_token, workload_identity_provider, and service_account confirms a unified and secure approach for staging.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/build.yml (1)

208-211: 🛠️ Refactor suggestion

⚠️ Potential issue

Production Deployment Auth Still Uses Credentials JSON.
The production deployment "Auth with Google Cloud" step (lines 208-211) still uses credentials_json rather than the OIDC-based parameters. This creates an inconsistency relative to the staging deployment and other parts of the workflow. To fully benefit from the security improvements of OIDC and reduce reliance on secret-based authentication, consider updating this step as follows:

-      - name: "Auth with Google Cloud"
-        uses: google-github-actions/auth@v2
-        with:
-          credentials_json: ${{ secrets.GCP_DEPLOYER_SERVICE_ACCOUNT_KEY }}
+      - name: "Auth with Google Cloud"
+        uses: google-github-actions/auth@v2
+        with:
+          token_format: access_token
+          workload_identity_provider: projects/ghost-activitypub/locations/global/workloadIdentityPools/github-oidc-activitypub/providers/github-provider-activitypub
+          service_account: stg-activitypub-github-cicd@ghost-activitypub.iam.gserviceaccount.com

This change will align production deployment with the new OIDC approach and further enhance security.

🧹 Nitpick comments (1)

.github/workflows/build.yml (1)

99-101: Assess Commented Out Test Step.
The "Run Tests" step is commented out. If this is intentional (e.g., tests are run elsewhere or deferred), please document the reasoning to avoid confusion. Otherwise, consider re-enabling tests or adding a conditional to run them in appropriate contexts.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 26d4d50 and e2e2a48.

📒 Files selected for processing (1)

• .github/workflows/build.yml (8 hunks)

🔇 Additional comments (4)

.github/workflows/build.yml (4)

10-13: OIDC Permissions Configuration Verified.
The new permissions block granting id-token: write and contents: read is correctly configured to support OIDC authentication in this workflow.

---

102-108: GCP Authentication via OIDC Configured Correctly.
The Authenticate to GCP step now uses google-github-actions/auth@v2 with proper parameters (token_format, workload_identity_provider, and service_account) to obtain an access token via OIDC. This update properly aligns with the PR objective.

---

115-115: Artifact Registry Login Uses OIDC Token.
The step logging into GCP Artifact Registry correctly uses the access token (${{ steps.gcp-auth.outputs.access_token }}) obtained from the authentication step.

---

154-158: Staging Deployment OIDC Authentication Updated.
In the staging deployment section, the "Auth with Google Cloud" step is amended to use OIDC (with token_format, workload_identity_provider, and service_account), ensuring consistency with the rest of the workflow.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/build.yml (1)

99-101: Tests Are Disabled: Confirm the Intent
The "Run Tests" step has been commented out, which might be intentional. If this is temporary, please document the rationale (e.g., linking to a tracked issue or providing context) so that future maintainers are aware. Otherwise, consider re-enabling tests to preserve CI coverage.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 89e7daa and 1623e7e.

📒 Files selected for processing (1)

• .github/workflows/build.yml (8 hunks)

🔇 Additional comments (3)

.github/workflows/build.yml (3)

10-12: Enhance Security with OIDC Permissions
The addition of id-token: write and contents: read permissions is a good move for enabling OIDC-based operations while minimizing access scope. Ensure these permissions satisfy all your workflow requirements.

---

102-109: Implementing GCP Authentication via OIDC
The new "Authenticate to GCP" step using google-github-actions/auth@v2 with the specified token_format, workload_identity_provider, and service_account is correctly implemented to leverage OIDC. Double-check that the provider and service account identifiers match your GCP configurations.

---

114-115: Artifact Registry Login Update
Switching to using the access token (${{ steps.gcp-auth.outputs.access_token }}) for logging into the GCP Artifact Registry is a secure improvement. Verify that docker/login-action@v3 properly supports this authentication mechanism and that the username "oauth2accesstoken" is as intended.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.github/workflows/build.yml (3)

99-101: Commented Out Tests:
The tests step is intentionally commented out. Please ensure this is a deliberate decision—if tests are being handled elsewhere or intentionally skipped, it would be helpful to document the rationale for future maintainers.

---

139-139: Comment on Unused Conditional:
The commented if: github.ref == 'refs/heads/main' in the staging deployment job suggests that a conditional execution was considered. If this is no longer required, consider removing it—or add a clarifying comment to explain why it remains commented out.

---

161-172: Deploy Migrations (Staging):
The staging deployment for migrations via Cloud Run looks correctly set up with deploy-cloudrun@v2. Consider if additional error handling or status checks might be useful for improved visibility on deployment failures.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1623e7e and 93a02d7.

📒 Files selected for processing (1)

• .github/workflows/build.yml (9 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Build, Test and Push

🔇 Additional comments (11)

.github/workflows/build.yml (11)

10-12: New Permissions Set for OIDC:
The added permissions (id-token: write and contents: read) align well with the OIDC approach and help ensure that the workflow has only the minimal privileges required for authentication.

---

102-108: GCP Authentication via OIDC:
This step correctly uses google-github-actions/auth@v2 with the appropriate OIDC parameters. Confirm that the workload_identity_provider and service_account values remain current with your GCP and identity pool configurations.

---

110-115: Artifact Registry Login with Access Token:
Using the access token from the GCP authentication step and hardcoding the username as oauth2accesstoken is in line with recommended practices for accessing the Artifact Registry. Be mindful of the token’s lifecycle during long-running jobs.

---

153-159: Staging GCP Authentication:
This staging authentication step is properly configured with auth@v2 and the expected OIDC parameters. Verify that the service account (stg-activitypub-github-cicd@...) has the appropriate minimal privileges for staging deployments.

---

173-182: Deploy ActivityPub Queue (Staging):
This deployment step for the ActivityPub Queue is correct and uses the proper parameters. Just double-check that the service name convention (i.e. stg-${{ matrix.region_name }}-activitypub-queue) matches your Cloud Run configuration.

---

183-191: Deploy ActivityPub API (Staging):
The API deployment in staging adheres to the overall OIDC authentication setup and deployment pattern. Ensure that the region and service naming values accurately reflect your staging environment.

---

208-215: Production GCP Authentication:
In production, authentication now leverages a dedicated service account (prd-activitypub-github-cicd@...), which is a good security practice. Verify that this account has only the necessary permissions, and that the OIDC parameters are consistent with your production identity pool settings.

---

216-227: Deploy Migrations (Production):
This production deployment step for migrations is configured appropriately. As with staging, ensure that any failure scenarios are effectively monitored.

---

228-236: Deploy ActivityPub Queue (Production):
The production deployment step for the ActivityPub Queue correctly utilizes OIDC authentication. Confirm that the image tag and service name align with your production configuration.

---

238-246: Deploy ActivityPub API (Production):
The API deployment step for production is set up similarly to its staging counterpart and uses OIDC parameters consistently. This configuration appears sound; just ensure that all naming conventions are as expected.

---

248-254: Slack Notification on Failure (Production):
The Slack notification step is well-placed to alert on deployment failures. Verify that the Slack webhook URL is up-to-date and that the notification action functions as intended.