diff --git a/.github/workflows/main-staging.yml b/.github/workflows/main-staging.yml index be929f0e59..cfa4215477 100644 --- a/.github/workflows/main-staging.yml +++ b/.github/workflows/main-staging.yml @@ -6,13 +6,17 @@ jobs: build_docs: name: Build the staging documentation site runs-on: ubuntu-latest + permissions: + contents: 'read' + id-token: 'write' env: HUGO_VERSION: 0.143.1 GCLOUD_VERSION: 458.0.1-linux-x86_64 BUCKET: docs-staging-learn-redis-com - BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_STAGING }} - BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_STAGING }} - GCP_PROJECT: ${{ secrets.GCP_PROJECT_STAGING }} + STAGING_PROJECT_ID: ${{ secrets.GCP_PROJECT_STAGING }} + STAGING_SERVICE_ACCOUNT: ${{ secrets.STAGING_SERVICE_ACCOUNT }} + STAGING_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.STAGING_WORKLOAD_IDENTITY_PROVIDER }} + steps: - name: Start run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}" @@ -162,17 +166,20 @@ jobs: run: ls "${{ github.workspace }}/examples" - name: List files to be published run: ls "${{ github.workspace }}/public" - - name: Install the Google Cloud CLI - run: | - wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \ - && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\ - && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet - - name: Prepare bucket authentication - run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json - - name: Authenticate to the bucket - run: | - ./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \ - && ./google-cloud-sdk/bin/gcloud auth list + + - name: 'Google auth' + uses: 'google-github-actions/auth@v2' + with: + project_id: '${{ env.STAGING_PROJECT_ID }}' + service_account: '${{ env.STAGING_SERVICE_ACCOUNT }}' + workload_identity_provider: '${{ env.STAGING_WORKLOAD_IDENTITY_PROVIDER }}' + + - name: 'Set up Cloud SDK' + uses: 'google-github-actions/setup-gcloud@v2' + with: + project_id: '${{ env.STAGING_PROJECT_ID }}' + version: '>= 363.0.0' + - name: Sync the branch to the bucket run: | if [[ "${{ github.ref_name }}" == "main" ]] @@ -187,7 +194,7 @@ jobs: else bucket_path=staging/${{ github.ref_name }} fi \ - && ./google-cloud-sdk/bin/gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path + && gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path versioned_builds=($(find . -type d -regex ".*[0-9-]" -maxdepth 1 | sed -E 's/^.\///')) for versioned_build in "${versioned_builds[@]}"; do diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 504f14ccb1..1da1581a04 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -6,13 +6,17 @@ jobs: build_docs: name: Build the production documentation site runs-on: ubuntu-latest + permissions: + contents: 'read' + id-token: 'write' env: HUGO_VERSION: 0.143.1 GCLOUD_VERSION: 458.0.1-linux-x86_64 BUCKET: docs-prod-learn-redis-com - BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_PROD }} - BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_PROD }} - GCP_PROJECT: ${{ secrets.GCP_PROJECT_PROD }} + PROD_PROJECT_ID: ${{ secrets.GCP_PROJECT_PROD }} + PROD_SERVICE_ACCOUNT: ${{ secrets.PROD_SERVICE_ACCOUNT }} + PROD_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.PROD_WORKLOAD_IDENTITY_PROVIDER }} + steps: - name: Start run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}" @@ -162,17 +166,20 @@ jobs: run: ls "${{ github.workspace }}/examples" - name: List files to be published run: ls "${{ github.workspace }}/public" - - name: Install the Google Cloud CLI - run: | - wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \ - && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\ - && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet - - name: Prepare bucket authentication - run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json - - name: Authenticate to the bucket - run: | - ./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \ - && ./google-cloud-sdk/bin/gcloud auth list + + - name: 'Google auth' + uses: 'google-github-actions/auth@v2' + with: + project_id: '${{ env.PROD_PROJECT_ID }}' + service_account: '${{ env.PROD_SERVICE_ACCOUNT }}' + workload_identity_provider: '${{ env.PROD_WORKLOAD_IDENTITY_PROVIDER }}' + + - name: 'Set up Cloud SDK' + uses: 'google-github-actions/setup-gcloud@v2' + with: + project_id: '${{ env.PROD_PROJECT_ID }}' + version: '>= 363.0.0' + - name: Sync the branch to the bucket run: | if [[ "${{ github.ref_name }}" == "main" ]] @@ -187,7 +194,7 @@ jobs: else bucket_path=staging/${{ github.ref_name }} fi \ - && ./google-cloud-sdk/bin/gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path + && gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path if [[ "${{ github.ref_name }}" == "latest" ]] then diff --git a/.github/workflows/test_gcs_access.yml b/.github/workflows/test_gcs_access.yml index feb80c3fb8..3a90dedb12 100644 --- a/.github/workflows/test_gcs_access.yml +++ b/.github/workflows/test_gcs_access.yml @@ -7,29 +7,36 @@ jobs: test_gcs: name: Test Google Cloud Storage access runs-on: ubuntu-latest + permissions: + contents: 'read' + id-token: 'write' env: GCLOUD_VERSION: 458.0.1-linux-x86_64 BUCKET: docs-prod-learn-redis-com - BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_PROD }} - BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_PROD }} - GCP_PROJECT: ${{ secrets.GCP_PROJECT_PROD }} + PROD_PROJECT_ID: ${{ secrets.GCP_PROJECT_PROD }} + PROD_SERVICE_ACCOUNT: ${{ secrets.PROD_SERVICE_ACCOUNT }} + PROD_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.PROD_WORKLOAD_IDENTITY_PROVIDER }} + steps: - uses: actions/checkout@v4 - name: Start run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}" - - name: Fetch the credentails - run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json - - name: Install the Google Cloud CLI - run: | - wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \ - && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\ - && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet - - name: Authenticate to Google Cloud - run: | - ./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \ - && ./google-cloud-sdk/bin/gcloud auth list + + - name: 'Google auth' + uses: 'google-github-actions/auth@v2' + with: + project_id: '${{ env.PROD_PROJECT_ID }}' + service_account: '${{ env.PROD_SERVICE_ACCOUNT }}' + workload_identity_provider: '${{ env.PROD_WORKLOAD_IDENTITY_PROVIDER }}' + + - name: 'Set up Cloud SDK' + uses: 'google-github-actions/setup-gcloud@v2' + with: + project_id: '${{ env.PROD_PROJECT_ID }}' + version: '>= 363.0.0' + - name: List files - run: ./google-cloud-sdk/bin/gsutil ls gs://$BUCKET + run: gsutil ls gs://$BUCKET - name: End run: echo "This job's status is ${{ job.status }}."