Merge pull request #112 from codecov/trent/oidc

trent-codecov · web-flow · commit d53881b7263c · 2023-03-20T09:11:14.000-05:00
Update release_flow.yml
diff --git a/.github/workflows/release_flow.yml b/.github/workflows/release_flow.yml
@@ -112,14 +112,20 @@ jobs:
   publish_release:
     name: Publish release
     needs: buildassets
-      # Authenticate with gcloud using OIDC
-    - name: Authenticate with GCP using OIDC
-      run: |
-        echo "${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}" > gcp-service-account.json
-        gcloud auth activate-service-account --key-file=gcp-service-account.json
-        gcloud auth login --update-adc
+    runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    steps:
+      - id: 'auth'
+        name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@v1.0.0'
+        with:
+          create_credentials_file: 'true'
+          workload_identity_provider: ${{ secrets.CODECOV_GCP_WIDP }}
+          service_account: ${{ secrets.CODECOV_GCP_WIDSA }}
 
-    # Publish the release tag to a Pub/Sub topic
-    - name: Publish a message to a Pub/Sub topic
-      run: |
-        gcloud pubsub topics publish ${{ secrets.GCLOUD_UPLOADER_PUBSUB_TOPIC }} --message '{"release":"'"${{ github.ref_name }}"'", "latest":true}'
+      # Publish the release tag to a Pub/Sub topic
+      - name: Publish a message to a Pub/Sub topic
+        run: |
+          gcloud pubsub topics publish ${{ secrets.GCLOUD_UPLOADER_PUBSUB_TOPIC }} --message '{"release":"'"${{ github.ref_name }}"'", "latest":true}'
