4848 - name : ' npm test'
4949 run : ' npm run test'
5050
51- credentials_json :
51+ defaults :
52+ run :
53+ shell : ' bash'
54+
55+
56+ #
57+ # Direct Workload Identity Federation
58+ #
59+ direct_workload_identity_federation :
5260 if : ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
53- name : ' credentials_json '
61+ name : ' direct_workload_identity_federation '
5462 runs-on : ' ${{ matrix.os }}'
5563 strategy :
5664 fail-fast : false
6068 - ' windows-latest'
6169 - ' macos-latest'
6270
71+ permissions :
72+ id-token : ' write'
73+
6374 steps :
6475 - uses : ' actions/checkout@v4'
6576
@@ -70,60 +81,109 @@ jobs:
7081 - name : ' npm build'
7182 run : ' npm ci && npm run build'
7283
84+ - uses : ' google-github-actions/setup-gcloud@main'
85+ with :
86+ version : ' >= 363.0.0'
87+
7388 - id : ' auth-default'
7489 name : ' auth-default'
7590 uses : ' ./'
7691 with :
77- credentials_json : ' ${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
78-
79- - id : ' setup-gcloud'
80- name : ' setup-gcloud'
81- uses : ' google-github-actions/setup-gcloud@main'
92+ project_id : ' ${{ vars.PROJECT_ID }}'
93+ workload_identity_provider : ' ${{ vars.WIF_PROVIDER_NAME }}'
8294
8395 - id : ' gcloud'
8496 name : ' gcloud'
85- shell : ' bash'
97+ run : |-
98+ gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
99+
100+ id : ' oauth-federated-token'
101+ name : ' oauth-federated-token'
102+ run : |-
103+ curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-default.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
104+ --silent \
105+ --show-error \
106+ --fail \
107+ --header "Authorization: Bearer ${{ steps.auth-default.outputs.auth_token }}"
108+
109+
110+ #
111+ # Workload Identity Federation through a Service Account
112+ #
113+ workload_identity_federation_through_service_account :
114+ if : ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
115+ name : ' workload_identity_federation_through_service_account'
116+ runs-on : ' ${{ matrix.os }}'
117+ strategy :
118+ fail-fast : false
119+ matrix :
120+ os :
121+ - ' ubuntu-latest'
122+ - ' windows-latest'
123+ - ' macos-latest'
124+
125+ permissions :
126+ id-token : ' write'
127+
128+ steps :
129+ - uses : ' actions/checkout@v4'
130+
131+ - uses : ' actions/setup-node@v4'
132+ with :
133+ node-version : ' 20.x'
134+
135+ - name : ' npm build'
136+ run : ' npm ci && npm run build'
137+
138+ - uses : ' google-github-actions/setup-gcloud@main'
139+ with :
140+ version : ' >= 363.0.0'
141+
142+ - id : ' auth-default'
143+ name : ' auth-default'
144+ uses : ' ./'
145+ with :
146+ workload_identity_provider : ' ${{ vars.WIF_PROVIDER_NAME }}'
147+ service_account : ' ${{ vars.SERVICE_ACCOUNT_EMAIL }}'
148+
149+ - name : ' gcloud'
86150 run : |-
87151 gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
88152
89153id : ' auth-access-token'
90154 name : ' auth-access-token'
91155 uses : ' ./'
92156 with :
93- credentials_json : ' ${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
157+ workload_identity_provider : ' ${{ vars.WIF_PROVIDER_NAME }}'
158+ service_account : ' ${{ vars.SERVICE_ACCOUNT_EMAIL }}'
94159 token_format : ' access_token'
95160
96- - id : ' access-token'
97- name : ' access-token'
98- shell : ' bash'
161+ - id : ' oauth-token'
162+ name : ' oauth-token'
99163 run : |-
100164 curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
101165 --silent \
102166 --show-error \
103167 --fail \
104168 --header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
105169
106- id : ' auth- id-token'
107- name : ' auth- id-token'
170+ id : ' id-token'
171+ name : ' id-token'
108172 uses : ' ./'
109173 with :
110- credentials_json : ' ${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
174+ workload_identity_provider : ' ${{ vars.WIF_PROVIDER_NAME }}'
175+ service_account : ' ${{ vars.SERVICE_ACCOUNT_EMAIL }}'
111176 token_format : ' id_token'
112177 id_token_audience : ' https://secretmanager.googleapis.com/'
113178 id_token_include_email : true
114179
115- - id : ' auth-sa-retries'
116- name : ' auth-sa-retries'
117- uses : ' ./'
118- with :
119- retries : ' 2'
120- backoff : ' 200'
121- backoff_limit : ' 1000'
122- credentials_json : ' ${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
123180
124- workload_identity_federation :
181+ #
182+ # Service Account Key JSON
183+ #
184+ credentials_json :
125185 if : ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
126- name : ' workload_identity_federation '
186+ name : ' credentials_json '
127187 runs-on : ' ${{ matrix.os }}'
128188 strategy :
129189 fail-fast : false
@@ -133,9 +193,6 @@ jobs:
133193 - ' windows-latest'
134194 - ' macos-latest'
135195
136- permissions :
137- id-token : ' write'
138-
139196 steps :
140197 - uses : ' actions/checkout@v4'
141198
@@ -146,34 +203,29 @@ jobs:
146203 - name : ' npm build'
147204 run : ' npm ci && npm run build'
148205
206+ - uses : ' google-github-actions/setup-gcloud@main'
207+ with :
208+ version : ' >= 363.0.0'
209+
149210 - id : ' auth-default'
150211 name : ' auth-default'
151212 uses : ' ./'
152213 with :
153- workload_identity_provider : ' ${{ vars.WIF_PROVIDER_NAME }}'
154- service_account : ' ${{ vars.SERVICE_ACCOUNT_EMAIL }}'
155-
156- - id : ' setup-gcloud'
157- name : ' setup-gcloud'
158- uses : ' google-github-actions/setup-gcloud@main'
214+ credentials_json : ' ${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
159215
160- - id : ' gcloud'
161- name : ' gcloud'
162- shell : ' bash'
216+ - name : ' gcloud'
163217 run : |-
164218 gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
165219
166220id : ' auth-access-token'
167221 name : ' auth-access-token'
168222 uses : ' ./'
169223 with :
170- workload_identity_provider : ' ${{ vars.WIF_PROVIDER_NAME }}'
171- service_account : ' ${{ vars.SERVICE_ACCOUNT_EMAIL }}'
224+ credentials_json : ' ${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
172225 token_format : ' access_token'
173226
174227 - id : ' access-token'
175228 name : ' access-token'
176- shell : ' bash'
177229 run : |-
178230 curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
179231 --silent \
@@ -185,26 +237,26 @@ jobs:
185237 name : ' auth-id-token'
186238 uses : ' ./'
187239 with :
188- workload_identity_provider : ' ${{ vars.WIF_PROVIDER_NAME }}'
189- service_account : ' ${{ vars.SERVICE_ACCOUNT_EMAIL }}'
240+ credentials_json : ' ${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
190241 token_format : ' id_token'
191242 id_token_audience : ' https://secretmanager.googleapis.com/'
192243 id_token_include_email : true
193244
194- - id : ' auth-wif -retries'
195- name : ' auth-wif -retries'
245+ - id : ' auth-sa -retries'
246+ name : ' auth-sa -retries'
196247 uses : ' ./'
197248 with :
198249 retries : ' 2'
199250 backoff : ' 200'
200251 backoff_limit : ' 1000'
201- workload_identity_provider : ' ${{ vars.WIF_PROVIDER_NAME }}'
202- service_account : ' ${{ vars.SERVICE_ACCOUNT_EMAIL }}'
252+ credentials_json : ' ${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
203253
254+ #
204255 # This test ensures that the GOOGLE_APPLICATION_CREDENTIALS environment
205256 # variable is shared with the container and that the path of the file is on
206257 # the shared filesystem with the container and that the USER for the container
207258 # has permissions to read the file.
259+ #
208260 docker :
209261 if : ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
210262 name : ' docker'
0 commit comments