feat(warden): Upload findings to GCS via Workload Identity Federation (#176)

gricha · claude · web-flow · commit 128ef284ea24 · 2026-03-05T20:10:50.000-08:00
* feat(warden): Upload findings to GCS via Workload Identity Federation Authenticate to GCP using OIDC workload identity and upload warden findings JSON to the warden-logs bucket after each PR scan. Files are stored as timestamped JSON under org/repo paths for downstream analysis. Co-Authored-By: Claude <noreply@anthropic.com> Agent transcript: https://claudescope.sentry.dev/share/1bzpd9bFJDpsTMflTcligEabMBUvuiHXGg3hoDQHdvI * fix(warden): Address review feedback on GCS upload steps Move GCP auth after warden scan with continue-on-error so auth failures don't block scanning. Guard rename/upload on findings-file being non-empty. Use env var instead of direct expression interpolation. Co-Authored-By: Claude <noreply@anthropic.com> Agent transcript: https://claudescope.sentry.dev/share/BKBjQj046vaZRSSn53ACddWCi8IA4OfcDBXrt63hk7U * fix(warden): Add continue-on-error to GCS upload step Prevent upload failures (e.g. from failed GCP auth) from failing the entire workflow job. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/warden.yml b/.github/workflows/warden.yml
@@ -9,6 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
         contents: read
+        id-token: write
     env:
       WARDEN_ANTHROPIC_API_KEY: ${{ secrets.WARDEN_ANTHROPIC_API_KEY }}
       WARDEN_MODEL: ${{ secrets.WARDEN_MODEL }}
@@ -25,6 +26,32 @@ jobs:
           owner: ${{ github.repository_owner }} # access to all repos, cause this is triggered on org level
 
       - uses: getsentry/warden@v0
+        id: warden
         continue-on-error: true # throw no error for now
         with:
-          github-token: ${{ steps.app-token.outputs.token }}
+          github-token: ${{ steps.app-token.outputs.token }}
+
+      - name: Authenticate to Google Cloud
+        continue-on-error: true
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093
+        with:
+          workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool
+          service_account: gha-warden@sac-prod-sa.iam.gserviceaccount.com
+
+      - name: Rename findings file with timestamp
+        id: rename-findings
+        if: always() && steps.warden.outputs.findings-file != ''
+        env:
+          FINDINGS_FILE: ${{ steps.warden.outputs.findings-file }}
+        run: |
+          DEST="$RUNNER_TEMP/$(date -u +%Y-%m-%dT%H%M%SZ).json"
+          cp "$FINDINGS_FILE" "$DEST"
+          echo "path=$DEST" >> "$GITHUB_OUTPUT"
+
+      - name: Upload findings to GCS
+        continue-on-error: true
+        uses: google-github-actions/upload-cloud-storage@c0f6160ff80057923ff50e5e567695cea181ec23 # v2
+        if: always() && steps.rename-findings.outputs.path != ''
+        with:
+          path: ${{ steps.rename-findings.outputs.path }}
+          destination: warden-logs/${{ github.repository }}
