Update docs to list full job and pin auth to @v0 (#259)

Author: sethvargo

.github/workflows/deploy-cloudrun-credentials-it.yml

@@ -23,7 +23,7 @@ jobs:
         npm run build
 
     - name: Set up authentication
-      uses: google-github-actions/setup-gcloud@master
+      uses: google-github-actions/setup-gcloud@v0
       with:
         service_account_key: ${{ secrets.DEPLOY_CLOUDRUN_SA_KEY_B64 }}
         export_default_credentials: true
@@ -61,7 +61,7 @@ jobs:
         image: gcr.io/cloudrun/hello
         service: ${{ steps.service.outputs.service }}
 
-    - uses: google-github-actions/setup-gcloud@master # Set up ADC to make authenticated request to service
+    - uses: google-github-actions/setup-gcloud@v0 # Set up ADC to make authenticated request to service
       with:
         service_account_key: ${{ secrets.DEPLOY_CLOUDRUN_SA_KEY_B64 }}
         export_default_credentials: true
@@ -93,7 +93,7 @@ jobs:
         image: gcr.io/cloudrun/hello
         service: ${{ steps.service.outputs.service }}
 
-    - uses: google-github-actions/setup-gcloud@master # Set up ADC to make authenticated request to service
+    - uses: google-github-actions/setup-gcloud@v0 # Set up ADC to make authenticated request to service
       with:
         service_account_key: ${{ secrets.DEPLOY_CLOUDRUN_SA_KEY_B64 }}
         export_default_credentials: true
@@ -137,7 +137,7 @@ jobs:
         image: gcr.io/cloudrun/hello
         service: ${{ steps.service.outputs.service }}
 
-    - uses: google-github-actions/setup-gcloud@master # Set up ADC to make authenticated request to service
+    - uses: google-github-actions/setup-gcloud@v0 # Set up ADC to make authenticated request to service
       with:
         service_account_key: ${{ secrets.DEPLOY_CLOUDRUN_SA_KEY_B64 }}
         export_default_credentials: true
@@ -153,7 +153,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [json, gcloud, b64_json, wif]
     steps:
-    - uses: google-github-actions/setup-gcloud@master
+    - uses: google-github-actions/setup-gcloud@v0
       with:
         service_account_key: ${{ secrets.DEPLOY_CLOUDRUN_SA_KEY_B64 }}
         project_id: ${{ secrets.DEPLOY_CLOUDRUN_PROJECT_ID }}

.github/workflows/deploy-cloudrun-traffic-it.yml

@@ -2,7 +2,7 @@ name: deploy-cloudrun Traffic Integration
 
 on:
   push:
-    branches: 
+    branches:
     - 'main'
   pull_request:
 
@@ -32,7 +32,7 @@ jobs:
         source: example-app
 
     - name: Setup Authentication with gcloud
-      uses: google-github-actions/setup-gcloud@master
+      uses: google-github-actions/setup-gcloud@v0
       with:
         service_account_key: ${{ secrets.DEPLOY_CLOUDRUN_SA_KEY_B64 }}
         export_default_credentials: true
@@ -87,7 +87,7 @@ jobs:
         suffix: "002"
 
     - name: Setup Authentication with gcloud
-      uses: google-github-actions/setup-gcloud@master
+      uses: google-github-actions/setup-gcloud@v0
       with:
         service_account_key: ${{ secrets.DEPLOY_CLOUDRUN_SA_KEY_B64 }}
         export_default_credentials: true
@@ -98,7 +98,7 @@ jobs:
         URL: ${{ steps.deploy_1.outputs.url }}
         SERVICE: ${{ steps.service.outputs.service }}
         REVISION: ${{ steps.service.outputs.service }}-002
-  
+
   tag:
     name: with Tag
     if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
@@ -126,7 +126,7 @@ jobs:
         tag: test-tag
 
     - name: Setup Authentication with gcloud
-      uses: google-github-actions/setup-gcloud@master
+      uses: google-github-actions/setup-gcloud@v0
       with:
         service_account_key: ${{ secrets.DEPLOY_CLOUDRUN_SA_KEY_B64 }}
         export_default_credentials: true
@@ -154,7 +154,7 @@ jobs:
         credentials: ${{ secrets.DEPLOY_CLOUDRUN_SA_KEY_JSON }}
         service: ${{ steps.service.outputs.service }}
         tag_traffic: "test-tag=100"
-    
+
     - name: Integration Tests
       run: npm run e2e-tests
       env:
@@ -170,7 +170,7 @@ jobs:
         credentials: ${{ secrets.DEPLOY_CLOUDRUN_SA_KEY_JSON }}
         service: ${{ steps.service.outputs.service }}
         revision_traffic: "${{ steps.service.outputs.service }}-v2=20"
-    
+
     - name: Integration Tests
       run: npm run e2e-tests
       env:
@@ -203,7 +203,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [source, suffix, tag]
     steps:
-    - uses: google-github-actions/setup-gcloud@master
+    - uses: google-github-actions/setup-gcloud@v0
       with:
         service_account_key: ${{ secrets.DEPLOY_CLOUDRUN_SA_KEY_B64 }}
         project_id: ${{ secrets.DEPLOY_CLOUDRUN_PROJECT_ID }}

.github/workflows/example-workflow.yaml

@@ -31,7 +31,7 @@ jobs:
       uses: actions/checkout@v2
 
     - name: Setup Cloud SDK
-      uses: google-github-actions/setup-gcloud@v0.2.0
+      uses: google-github-actions/setup-gcloud@v0
       with:
         project_id: ${{ env.PROJECT_ID }}
         service_account_key: ${{ secrets.GCP_SA_KEY }}
@@ -44,7 +44,7 @@ jobs:
       run: |-
         docker build -t gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{  github.sha }} example-app/
         docker push gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{  github.sha }}
-        
+
     - name: Deploy to Cloud Run
       id: deploy
       uses: google-github-actions/[email protected]

README.md

@@ -46,21 +46,27 @@ Cloud Run service. See the [Credentials](#credentials) below for more informatio
 ## Usage
 
 ```yaml
-- id: auth
-  uses: google-github-actions/[email protected]
-  with:
-    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
-    service_account: '[email protected]'
-
-- name: Deploy to Cloud Run
-  id: deploy
-  uses: google-github-actions/[email protected]
-  with:
-    service: hello-cloud-run 
-    image: gcr.io/cloudrun/hello
-
-- name: Use Output
-  run: curl "${{ steps.deploy.outputs.url }}"
+jobs:
+  job_id:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    steps:
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v0'
+      with:
+        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+        service_account: '[email protected]'
+
+    - id: 'deploy'
+      uses: 'google-github-actions/[email protected]'
+      with:
+        service: 'hello-cloud-run'
+        image: 'gcr.io/cloudrun/hello'
+
+    - name: 'Use output'
+      run: 'curl "${{ steps.deploy.outputs.url }}"'
 ```
 
 ## Inputs
@@ -149,32 +155,42 @@ one of the methods found in [Configuring Ownership and access to a service accou
 #### Authenticating via Workload Identity Federation
 
 ```yaml
-- id: 'auth'
-  uses: 'google-github-actions/[email protected]'
-  with:
-    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
-    service_account: '[email protected]'
-
-- name: Deploy to Cloud Run
-  uses: google-github-actions/[email protected]
-  with:
-    image: gcr.io/cloudrun/hello
-    service: hello-cloud-run
+jobs:
+  job_id:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    steps:
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v0'
+      with:
+        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+        service_account: '[email protected]'
+
+    - name: 'Deploy to Cloud Run'
+      uses: 'google-github-actions/[email protected]'
+      with:
+        image: 'gcr.io/cloudrun/hello'
+        service: 'hello-cloud-run'
 ```
 
 #### Authenticating via Service Account Key JSON
 
 ```yaml
-- id: 'auth'
-  uses: 'google-github-actions/[email protected]'
-  with:
-    credentials_json: '${{ secrets.GCP_SA_KEY }}'
-
-- name: Deploy to Cloud Run
-  uses: google-github-actions/[email protected]
-  with:
-    image: gcr.io/cloudrun/hello
-    service: hello-cloud-run
+jobs:
+  job_id:
+    steps:
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v0'
+      with:
+        credentials_json: '${{ secrets.GCP_SA_KEY }}'
+
+    - name: 'Deploy to Cloud Run'
+      uses: 'google-github-actions/[email protected]'
+      with:
+        image: 'gcr.io/cloudrun/hello'
+        service: 'hello-cloud-run'
 ```
 
 ### Via Application Default Credentials
@@ -185,11 +201,14 @@ authenticate requests as the service account attached to the instance. **This
 only works using a custom runner hosted on GCP.**
 
 ```yaml
-- name: Deploy to Cloud Run
-  uses: google-github-actions/[email protected]
-  with:
-    image: gcr.io/cloudrun/hello
-    service: hello-cloud-run
+jobs:
+  job_id:
+    steps:
+    - name: 'Deploy to Cloud Run'
+      uses: 'google-github-actions/[email protected]'
+      with:
+        image: 'gcr.io/cloudrun/hello'
+        service: 'hello-cloud-run'
 ```
 
 ## Example Workflows
@@ -245,36 +264,42 @@ git push YOUR-FORK main:example-build-deploy
 Example using `setup-gcloud`:
 
 ```YAML
-- name: Setup Cloud SDK
-  uses: google-github-actions/[email protected]
-  with:
-    project_id: ${{ env.PROJECT_ID }}
-    service_account_key: ${{ secrets.GCP_SA_KEY }}
-
-- name: Deploy to Cloud Run
-  run: |-
-    gcloud run deploy $SERVICE \
-      --region $REGION \
-      --image gcr.io/$PROJECT_ID/$SERVICE \
-      --platform managed \
-      --set-env-vars NAME="Hello World"
+jobs:
+  job_id:
+    steps:
+    - name: 'Setup Cloud SDK'
+      uses: 'google-github-actions/setup-gcloud@v0'
+      with:
+        project_id: '${{ env.PROJECT_ID }}'
+        service_account_key: '${{ secrets.GCP_SA_KEY }}'
+
+    - name: 'Deploy to Cloud Run'
+      run: |-
+        gcloud run deploy $SERVICE \
+          --region $REGION \
+          --image gcr.io/$PROJECT_ID/$SERVICE \
+          --platform managed \
+          --set-env-vars NAME="Hello World"
 ```
 
 Migrated to `deploy-cloudrun`:
 
 ```YAML
-- id: 'auth'
-  uses: 'google-github-actions/[email protected]'
-  with:
-    credentials_json: '${{ secrets.GCP_SA_KEY }}'
-
-- name: Deploy to Cloud Run
-  uses: google-github-actions/[email protected]
-  with:
-    service: ${{ env.SERVICE }}
-    image: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}
-    region: ${{ env.REGION }}
-    env_vars: NAME="Hello World"
+jobs:
+  job_id:
+    steps:
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v0'
+      with:
+        credentials_json: '${{ secrets.GCP_SA_KEY }}'
+
+    - name: 'Deploy to Cloud Run'
+      uses: 'google-github-actions/[email protected]'
+      with:
+        service: '${{ env.SERVICE }}'
+        image: 'gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}'
+        region: '${{ env.REGION }}'
+        env_vars: 'NAME="Hello World"'
 ```
 Note: The action is for the "managed" platform and will not set access privileges such as [allowing unauthenticated requests](#Allow-unauthenticated-requests).