From 851f6d09b69cc85fd2baf38dd5d45194e4df7302 Mon Sep 17 00:00:00 2001 From: paoloredis Date: Thu, 10 Apr 2025 12:14:17 +0200 Subject: [PATCH 1/4] Change github actions authentication to use workload identity federation --- .github/workflows/main-staging.yml | 21 ++++++++++++--------- .github/workflows/main.yml | 21 ++++++++++++--------- .github/workflows/test_gcs_access.yml | 22 +++++++++++++--------- 3 files changed, 37 insertions(+), 27 deletions(-) diff --git a/.github/workflows/main-staging.yml b/.github/workflows/main-staging.yml index be929f0e59..665bbe36e9 100644 --- a/.github/workflows/main-staging.yml +++ b/.github/workflows/main-staging.yml @@ -10,9 +10,10 @@ jobs: HUGO_VERSION: 0.143.1 GCLOUD_VERSION: 458.0.1-linux-x86_64 BUCKET: docs-staging-learn-redis-com - BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_STAGING }} - BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_STAGING }} - GCP_PROJECT: ${{ secrets.GCP_PROJECT_STAGING }} + STAGING_PROJECT_ID: ${{ secrets.GCP_PROJECT_STAGING }} + STAGING_SERVICE_ACCOUNT: ${{ secrets.STAGING_SERVICE_ACCOUNT }} + STAGING_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.STAGING_WORKLOAD_IDENTITY_PROVIDER }} + steps: - name: Start run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}" @@ -167,12 +168,14 @@ jobs: wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \ && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\ && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet - - name: Prepare bucket authentication - run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json - - name: Authenticate to the bucket - run: | - ./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \ - && ./google-cloud-sdk/bin/gcloud auth list + + - name: 'Google auth' + uses: 'google-github-actions/auth@v2' + with: + project_id: '${{ env.STAGING_PROJECT_ID }}' + service_account: '${{ env.STAGING_SERVICE_ACCOUNT }}' + workload_identity_provider: '${{ env.STAGING_WORKLOAD_IDENTITY_PROVIDER }}' + - name: Sync the branch to the bucket run: | if [[ "${{ github.ref_name }}" == "main" ]] diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 504f14ccb1..3adccac721 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,9 +10,10 @@ jobs: HUGO_VERSION: 0.143.1 GCLOUD_VERSION: 458.0.1-linux-x86_64 BUCKET: docs-prod-learn-redis-com - BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_PROD }} - BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_PROD }} - GCP_PROJECT: ${{ secrets.GCP_PROJECT_PROD }} + PROD_PROJECT_ID: ${{ secrets.GCP_PROJECT_PROD }} + PROD_SERVICE_ACCOUNT: ${{ secrets.PROD_SERVICE_ACCOUNT }} + PROD_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.PROD_WORKLOAD_IDENTITY_PROVIDER }} + steps: - name: Start run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}" @@ -167,12 +168,14 @@ jobs: wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \ && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\ && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet - - name: Prepare bucket authentication - run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json - - name: Authenticate to the bucket - run: | - ./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \ - && ./google-cloud-sdk/bin/gcloud auth list + + - name: 'Google auth' + uses: 'google-github-actions/auth@v2' + with: + project_id: '${{ env.PROD_PROJECT_ID }}' + service_account: '${{ env.PROD_SERVICE_ACCOUNT }}' + workload_identity_provider: '${{ env.PROD_WORKLOAD_IDENTITY_PROVIDER }}' + - name: Sync the branch to the bucket run: | if [[ "${{ github.ref_name }}" == "main" ]] diff --git a/.github/workflows/test_gcs_access.yml b/.github/workflows/test_gcs_access.yml index feb80c3fb8..6632f66224 100644 --- a/.github/workflows/test_gcs_access.yml +++ b/.github/workflows/test_gcs_access.yml @@ -10,24 +10,28 @@ jobs: env: GCLOUD_VERSION: 458.0.1-linux-x86_64 BUCKET: docs-prod-learn-redis-com - BUCKET_SERVICE_ACCOUNT: ${{ secrets.BUCKET_DOCUMENTATION_SA_PROD }} - BUCKET_SECRET: ${{ secrets.BUCKET_DOCUMENTATION_PROD }} - GCP_PROJECT: ${{ secrets.GCP_PROJECT_PROD }} + PROD_PROJECT_ID: ${{ secrets.GCP_PROJECT_PROD }} + PROD_SERVICE_ACCOUNT: ${{ secrets.PROD_SERVICE_ACCOUNT }} + PROD_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.PROD_WORKLOAD_IDENTITY_PROVIDER }} + steps: - uses: actions/checkout@v4 - name: Start run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}" - - name: Fetch the credentails - run: echo $BUCKET_SECRET | base64 --decode > service_account.json && ls -a service_account.json + - name: Install the Google Cloud CLI run: | wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \ && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\ && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet - - name: Authenticate to Google Cloud - run: | - ./google-cloud-sdk/bin/gcloud auth activate-service-account $BUCKET_SERVICE_ACCOUNT --key-file=./service_account.json --project=$GCP_PROJECT \ - && ./google-cloud-sdk/bin/gcloud auth list + + - name: 'Google auth' + uses: 'google-github-actions/auth@v2' + with: + project_id: '${{ env.PROD_PROJECT_ID }}' + service_account: '${{ env.PROD_SERVICE_ACCOUNT }}' + workload_identity_provider: '${{ env.PROD_WORKLOAD_IDENTITY_PROVIDER }}' + - name: List files run: ./google-cloud-sdk/bin/gsutil ls gs://$BUCKET - name: End From bce259811a19c08ffe3b4c84ff3309bf2d85915a Mon Sep 17 00:00:00 2001 From: paoloredis Date: Thu, 10 Apr 2025 12:19:56 +0200 Subject: [PATCH 2/4] Add missing permissions --- .github/workflows/main-staging.yml | 3 +++ .github/workflows/main.yml | 3 +++ .github/workflows/test_gcs_access.yml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/main-staging.yml b/.github/workflows/main-staging.yml index 665bbe36e9..d3d82297cc 100644 --- a/.github/workflows/main-staging.yml +++ b/.github/workflows/main-staging.yml @@ -6,6 +6,9 @@ jobs: build_docs: name: Build the staging documentation site runs-on: ubuntu-latest + permissions: + contents: 'read' + id-token: 'write' env: HUGO_VERSION: 0.143.1 GCLOUD_VERSION: 458.0.1-linux-x86_64 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3adccac721..9d2412cfc9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -6,6 +6,9 @@ jobs: build_docs: name: Build the production documentation site runs-on: ubuntu-latest + permissions: + contents: 'read' + id-token: 'write' env: HUGO_VERSION: 0.143.1 GCLOUD_VERSION: 458.0.1-linux-x86_64 diff --git a/.github/workflows/test_gcs_access.yml b/.github/workflows/test_gcs_access.yml index 6632f66224..62a4a48fb0 100644 --- a/.github/workflows/test_gcs_access.yml +++ b/.github/workflows/test_gcs_access.yml @@ -7,6 +7,9 @@ jobs: test_gcs: name: Test Google Cloud Storage access runs-on: ubuntu-latest + permissions: + contents: 'read' + id-token: 'write' env: GCLOUD_VERSION: 458.0.1-linux-x86_64 BUCKET: docs-prod-learn-redis-com From f36d330b14a19ca31a9c1b07b31a888425305ad8 Mon Sep 17 00:00:00 2001 From: paoloredis Date: Thu, 10 Apr 2025 12:31:38 +0200 Subject: [PATCH 3/4] Use proper action for install gcloud --- .github/workflows/main-staging.yml | 11 ++++++----- .github/workflows/main.yml | 11 ++++++----- .github/workflows/test_gcs_access.yml | 12 ++++++------ 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/.github/workflows/main-staging.yml b/.github/workflows/main-staging.yml index d3d82297cc..95b60d6258 100644 --- a/.github/workflows/main-staging.yml +++ b/.github/workflows/main-staging.yml @@ -166,11 +166,6 @@ jobs: run: ls "${{ github.workspace }}/examples" - name: List files to be published run: ls "${{ github.workspace }}/public" - - name: Install the Google Cloud CLI - run: | - wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \ - && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\ - && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet - name: 'Google auth' uses: 'google-github-actions/auth@v2' @@ -179,6 +174,12 @@ jobs: service_account: '${{ env.STAGING_SERVICE_ACCOUNT }}' workload_identity_provider: '${{ env.STAGING_WORKLOAD_IDENTITY_PROVIDER }}' + - name: 'Set up Cloud SDK' + uses: 'google-github-actions/setup-gcloud@v2' + with: + project_id: '${{ env.STAGING_PROJECT_ID }}' + version: '>= 363.0.0' + - name: Sync the branch to the bucket run: | if [[ "${{ github.ref_name }}" == "main" ]] diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9d2412cfc9..fae3674b2c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -166,11 +166,6 @@ jobs: run: ls "${{ github.workspace }}/examples" - name: List files to be published run: ls "${{ github.workspace }}/public" - - name: Install the Google Cloud CLI - run: | - wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \ - && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\ - && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet - name: 'Google auth' uses: 'google-github-actions/auth@v2' @@ -179,6 +174,12 @@ jobs: service_account: '${{ env.PROD_SERVICE_ACCOUNT }}' workload_identity_provider: '${{ env.PROD_WORKLOAD_IDENTITY_PROVIDER }}' + - name: 'Set up Cloud SDK' + uses: 'google-github-actions/setup-gcloud@v2' + with: + project_id: '${{ env.PROD_PROJECT_ID }}' + version: '>= 363.0.0' + - name: Sync the branch to the bucket run: | if [[ "${{ github.ref_name }}" == "main" ]] diff --git a/.github/workflows/test_gcs_access.yml b/.github/workflows/test_gcs_access.yml index 62a4a48fb0..7f55053d10 100644 --- a/.github/workflows/test_gcs_access.yml +++ b/.github/workflows/test_gcs_access.yml @@ -22,12 +22,6 @@ jobs: - name: Start run: echo "The name of the branch is ${{ github.ref }} on ${{ github.repository }}" - - name: Install the Google Cloud CLI - run: | - wget -O ${{ github.workspace }}/google-cloud-cli.tar.gz "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-$GCLOUD_VERSION.tar.gz" \ - && tar -xvf google-cloud-cli.tar.gz -C ${{ github.workspace }}\ - && ${{ github.workspace }}/google-cloud-sdk/install.sh --quiet - - name: 'Google auth' uses: 'google-github-actions/auth@v2' with: @@ -35,6 +29,12 @@ jobs: service_account: '${{ env.PROD_SERVICE_ACCOUNT }}' workload_identity_provider: '${{ env.PROD_WORKLOAD_IDENTITY_PROVIDER }}' + - name: 'Set up Cloud SDK' + uses: 'google-github-actions/setup-gcloud@v2' + with: + project_id: '${{ env.PROD_PROJECT_ID }}' + version: '>= 363.0.0' + - name: List files run: ./google-cloud-sdk/bin/gsutil ls gs://$BUCKET - name: End From 4884b8cca5f853a3a962c1315414bf4607f8537b Mon Sep 17 00:00:00 2001 From: paoloredis Date: Thu, 10 Apr 2025 12:35:36 +0200 Subject: [PATCH 4/4] Fix gsutil usage --- .github/workflows/main-staging.yml | 2 +- .github/workflows/main.yml | 2 +- .github/workflows/test_gcs_access.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main-staging.yml b/.github/workflows/main-staging.yml index 95b60d6258..cfa4215477 100644 --- a/.github/workflows/main-staging.yml +++ b/.github/workflows/main-staging.yml @@ -194,7 +194,7 @@ jobs: else bucket_path=staging/${{ github.ref_name }} fi \ - && ./google-cloud-sdk/bin/gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path + && gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path versioned_builds=($(find . -type d -regex ".*[0-9-]" -maxdepth 1 | sed -E 's/^.\///')) for versioned_build in "${versioned_builds[@]}"; do diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index fae3674b2c..1da1581a04 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -194,7 +194,7 @@ jobs: else bucket_path=staging/${{ github.ref_name }} fi \ - && ./google-cloud-sdk/bin/gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path + && gsutil -m rsync -r -c -j html -d ${{ github.workspace }}/public gs://$BUCKET/$bucket_path if [[ "${{ github.ref_name }}" == "latest" ]] then diff --git a/.github/workflows/test_gcs_access.yml b/.github/workflows/test_gcs_access.yml index 7f55053d10..3a90dedb12 100644 --- a/.github/workflows/test_gcs_access.yml +++ b/.github/workflows/test_gcs_access.yml @@ -36,7 +36,7 @@ jobs: version: '>= 363.0.0' - name: List files - run: ./google-cloud-sdk/bin/gsutil ls gs://$BUCKET + run: gsutil ls gs://$BUCKET - name: End run: echo "This job's status is ${{ job.status }}."