Change github actions authentication to use workload identity federation

Author: paoloredis

.github/workflows/main-staging.yml

@@ -10,9 +10,10 @@ jobs:
       HUGO_VERSION: 0.143.1
       GCLOUD_VERSION: 458.0.1-linux-x86_64
       BUCKET: docs-staging-learn-redis-com
-      BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_STAGING }}
-      BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_STAGING }}
-      GCP_PROJECT: ${{ secrets.GCP_PROJECT_STAGING }}
+      STAGING_PROJECT_ID: ${{ secrets.GCP_PROJECT_STAGING }}
+      STAGING_SERVICE_ACCOUNT: ${{ secrets.STAGING_SERVICE_ACCOUNT }}
+      STAGING_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.STAGING_WORKLOAD_IDENTITY_PROVIDER }}
+
     steps:
     - name: Start
       run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}"
@@ -167,12 +168,14 @@ jobs:
           wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \
           && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\
           && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet
-    - name: Prepare bucket authentication
-      run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json
-    - name: Authenticate to the bucket
-      run: |
-          ./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \
-          && ./google-cloud-sdk/bin/gcloud auth list
+
+    - name: 'Google auth'
+      uses: 'google-github-actions/auth@v2'
+      with:
+        project_id: '${{ env.STAGING_PROJECT_ID }}'
+        service_account: '${{ env.STAGING_SERVICE_ACCOUNT }}'
+        workload_identity_provider: '${{ env.STAGING_WORKLOAD_IDENTITY_PROVIDER }}'
+
     - name: Sync the branch to the bucket
       run: |
           if [[ "${{ github.ref_name }}" == "main" ]]

.github/workflows/main.yml

@@ -10,9 +10,10 @@ jobs:
       HUGO_VERSION: 0.143.1
       GCLOUD_VERSION: 458.0.1-linux-x86_64
       BUCKET: docs-prod-learn-redis-com
-      BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_PROD }}
-      BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_PROD }}
-      GCP_PROJECT: ${{ secrets.GCP_PROJECT_PROD }}
+      PROD_PROJECT_ID: ${{ secrets.GCP_PROJECT_PROD }}
+      PROD_SERVICE_ACCOUNT: ${{ secrets.PROD_SERVICE_ACCOUNT }}
+      PROD_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.PROD_WORKLOAD_IDENTITY_PROVIDER }}
+
     steps:
     - name: Start
       run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}"
@@ -167,12 +168,14 @@ jobs:
           wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \
           && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\
           && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet
-    - name: Prepare bucket authentication
-      run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json
-    - name: Authenticate to the bucket
-      run: |
-          ./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \
-          && ./google-cloud-sdk/bin/gcloud auth list
+
+    - name: 'Google auth'
+      uses: 'google-github-actions/auth@v2'
+      with:
+        project_id: '${{ env.PROD_PROJECT_ID }}'
+        service_account: '${{ env.PROD_SERVICE_ACCOUNT }}'
+        workload_identity_provider: '${{ env.PROD_WORKLOAD_IDENTITY_PROVIDER }}'
+
     - name: Sync the branch to the bucket
       run: |
           if [[ "${{ github.ref_name }}" == "main" ]]

.github/workflows/test_gcs_access.yml

@@ -10,24 +10,28 @@ jobs:
     env:
       GCLOUD_VERSION: 458.0.1-linux-x86_64
       BUCKET: docs-prod-learn-redis-com
-      BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_PROD }}
-      BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_PROD }}
-      GCP_PROJECT: ${{ secrets.GCP_PROJECT_PROD }}
+      PROD_PROJECT_ID: ${{ secrets.GCP_PROJECT_PROD }}
+      PROD_SERVICE_ACCOUNT: ${{ secrets.PROD_SERVICE_ACCOUNT }}
+      PROD_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.PROD_WORKLOAD_IDENTITY_PROVIDER }}
+
     steps:
     - uses: actions/checkout@v4
     - name: Start
       run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}"
-    - name: Fetch the credentails
-      run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json
+
     - name: Install the Google Cloud CLI
       run: |
           wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \
           && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\
           && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet
-    - name: Authenticate to Google Cloud
-      run: |
-          ./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \
-          && ./google-cloud-sdk/bin/gcloud auth list
+
+    - name: 'Google auth'
+      uses: 'google-github-actions/auth@v2'
+      with:
+        project_id: '${{ env.PROD_PROJECT_ID }}'
+        service_account: '${{ env.PROD_SERVICE_ACCOUNT }}'
+        workload_identity_provider: '${{ env.PROD_WORKLOAD_IDENTITY_PROVIDER }}'
+
     - name: List files
       run: ./google-cloud-sdk/bin/gsutil ls gs://$BUCKET
     - name: End