feat(github-actions): allow a credential to be provided for configuring remote bazel setup

.bazelrc

@@ -88,7 +88,7 @@ build:remote --remote_upload_local_results=false
 
 # Enable Build Event Service
 build:remote --bes_backend=buildeventservice.googleapis.com
-build:remote --project_id=internal-200822
+build:remote --bes_instance_name=internal-200822
 build:remote --bes_header=X-Goog-User-Project=internal-200822
 build:remote --bes_results_url=https://source.cloud.google.com/results/invocations
 build:remote --bes_upload_mode=fully_async
@@ -99,6 +99,10 @@ build:remote-cache --remote_accept_cached=true
 build:remote-cache --remote_upload_local_results=false
 build:remote-cache --google_default_credentials
 
+
+# Additional flags added when running a "trusted build" with additional access
+build:trusted-build --remote_upload_local_results=true
+
 ################################
 #     Release setup            #
 ################################

.github/workflows/ci.yml

@@ -27,6 +27,9 @@ jobs:
       - uses: ./github-actions/npm/checkout-and-setup-node
       - uses: ./github-actions/bazel/setup
       - uses: ./github-actions/bazel/configure-remote
+        with:
+          trusted_build: true
+          google_credential: ${{ secrets.RBE_TRUSTED_BUILDS_USER }}
       - run: yarn install --immutable
       - name: Confirm code builds with typescript as expected
         run: yarn tsc -p tsconfig.json
@@ -42,6 +45,9 @@ jobs:
       - uses: ./github-actions/npm/checkout-and-setup-node
       - uses: ./github-actions/bazel/setup
       - uses: ./github-actions/bazel/configure-remote
+        with:
+          trusted_build: true
+          google_credential: ${{ secrets.RBE_TRUSTED_BUILDS_USER }}
       - run: yarn install --immutable
       - run: yarn bazel test -- //...
 

github-actions/bazel/configure-remote/action.yml

@@ -12,17 +12,11 @@ inputs:
     description: |
       Whether to allow remote execution to be configured for Windows. By default,
       Windows is only configured to leverage remote caching.
-
-  shell:
-    default: bash
-    description: Shell to use for executing the configure script.
+  google_credential:
+    description: |
+      A Google credential to be used as authentication for RBE API usages, implies
+      the RBE interaction should be done as part of a trusted build.
 
 runs:
-  using: composite
-  steps:
-    - run: node $GITHUB_ACTION_PATH/configure-remote.cjs
-      env:
-        BAZELRC_PATH: ${{ inputs.bazelrc }}
-        ALLOW_WINDOWS_RBE: ${{ inputs.allow_windows_rbe }}
-        NGAT: 'bKddxrYADouso3haW7lCFA=='
-      shell: ${{ inputs.shell }}
+  using: 'node20'
+  main: 'configure-remote.cjs'

github-actions/bazel/configure-remote/constants.ts

@@ -9,6 +9,6 @@
 const owner = (process.env.CIRCLE_PROJECT_USERNAME ?? process.env.GITHUB_REPOSITORY_OWNER)!;
 
 export const alg = 'aes-256-gcm';
-export const at = process.env.NGAT!;
+export const at = 'bKddxrYADouso3haW7lCFA==';
 export const k = owner.padEnd(32, '<');
 export const iv = '000003213213123213';

github-actions/bazel/configure-remote/index.ts

@@ -6,34 +6,43 @@
  * found in the LICENSE file at https://angular.io/license
  */
 
-// @ts-ignore
+// @ts-ignore-next-line
 import tokenRaw from './gcp_token.data';
 import {k, iv, alg, at} from './constants.js';
 import {createDecipheriv} from 'crypto';
 import path from 'path';
 import fs from 'fs';
 import os from 'os';
-import {exportVariable} from '@actions/core';
+import {exportVariable, getBooleanInput, getInput} from '@actions/core';
 
-async function main(bazelRcPath: string | undefined) {
+async function main() {
   const isWindows = os.platform() === 'win32';
-  const t: Uint8Array = tokenRaw;
-  const dcip = createDecipheriv(alg, k, iv).setAuthTag(Buffer.from(at, 'base64'));
-  const dec = dcip.update(t, undefined, 'utf8') + dcip.final('utf8');
+  const bazelRcPath = getInput('bazelrc', {required: false, trimWhitespace: true});
+  const allowWindowsRbe = getBooleanInput('allow_windows_rbe', {required: true});
+  // If no credential is provided as an input, `getInput` will return an empty string
+  let credential = getInput('google_credential', {required: false, trimWhitespace: true}) || null;
+  // We treat any non-embedded credential as indication that this is a trusted build.
+  const trustedBuild = credential !== null;
+
+  if (credential === null) {
+    credential = getEmbeddedCredential();
+  }
 
   const destPath = isWindows
     ? path.join(process.env.APPDATA!, 'gcloud/application_default_credentials.json')
     : path.join(process.env.HOME!, '.config/gcloud/application_default_credentials.json');
 
   await fs.promises.mkdir(path.dirname(destPath), {recursive: true});
-  await fs.promises.writeFile(destPath, dec, 'utf8');
+  await fs.promises.writeFile(destPath, credential, 'utf8');
 
-  const allowWindowsRbe = process.env['ALLOW_WINDOWS_RBE'] === 'true';
   const configMode = isWindows && !allowWindowsRbe ? 'remote-cache' : 'remote';
 
   if (bazelRcPath) {
     let content = await readFileGracefully(bazelRcPath);
     content += `\nbuild --config=${configMode}`;
+    if (trustedBuild) {
+      content += `\nbuild --config=trusted-build`;
+    }
     await fs.promises.writeFile(bazelRcPath, content, 'utf8');
   }
 
@@ -50,7 +59,14 @@ async function readFileGracefully(filePath: string): Promise<string> {
   }
 }
 
-main(process.env.BAZELRC_PATH).catch((e) => {
+/** Extract the embeeded credential from the action. */
+function getEmbeddedCredential(): string {
+  const t: Uint8Array = tokenRaw;
+  const dcip = createDecipheriv(alg, k, iv).setAuthTag(Buffer.from(at, 'base64'));
+  return dcip.update(t, undefined, 'utf8') + dcip.final('utf8');
+}
+
+main().catch((e) => {
   console.error(e);
   process.exitCode = 1;
 });