From 95388d710d723276af438399a382ab46bb2b1f3e Mon Sep 17 00:00:00 2001 From: Tsavo Knott Date: Mon, 15 Jun 2026 16:10:37 -0400 Subject: [PATCH] ci: migrate GCP auth to keyless Workload Identity Federation The static GCP_CREDENTIALS service-account key (github-actions@integration-server-326115) was deleted during incident remediation, breaking the GCS release/staging uploads. Switch CI to keyless WIF (OIDC) via google-github-actions/auth@v3, mirroring the builds_server #19/#20 pattern. No static key required. - build.yaml (push-build): auth@v2 + credentials_json -> auth@v3 WIF provider + service_account; pin project on setup-gcloud@v2; add id-token/contents permissions. - release.yaml / staging.yaml: grant id-token: write (+ contents: write) on the calling job; stop passing the now-deleted credentials_json secret. - build.yaml: declare previously-undeclared `beta` input; drop unused `inputs.project_id` reference. Co-authored-by: Cursor --- .github/workflows/build.yaml | 20 +++++++++++++------- .github/workflows/release.yaml | 5 +++-- .github/workflows/staging.yaml | 5 +++-- 3 files changed, 19 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0e5caf30..7ede35bf 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -7,9 +7,10 @@ on: type: boolean required: true default: false - secrets: - credentials_json: + beta: + type: boolean required: false + default: false jobs: build: @@ -97,6 +98,9 @@ jobs: runs-on: ubuntu-latest needs: - build + permissions: + id-token: write # required for keyless WIF (OIDC) auth to GCP + contents: write # required for softprops/action-gh-release steps: ### Pulling down the previously built plugins @@ -114,17 +118,19 @@ jobs: - name: List run: ls -la - ### Authenticating with gcloud - - name: Authenticate with Google cloud - uses: google-github-actions/auth@v2 + ### Authenticating with gcloud via keyless Workload Identity Federation (OIDC) + - name: Authenticate with Google Cloud + uses: google-github-actions/auth@v3 with: - credentials_json: ${{ secrets.credentials_json }} - project_id: ${{ inputs.project_id }} + workload_identity_provider: projects/497784144587/locations/global/workloadIdentityPools/github-pool/providers/github-provider + service_account: github-actions@integration-server-326115.iam.gserviceaccount.com create_credentials_file: true ### Setting up gcloud cli - name: 'Set up Cloud SDK' uses: 'google-github-actions/setup-gcloud@v2' + with: + project_id: integration-server-326115 ### Verifying that we are good to go with gcloud - name: 'Use gcloud CLI' diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index fb77384d..6f57f0b7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -7,8 +7,9 @@ on: jobs: build: + permissions: + id-token: write # required so the reusable workflow can mint a GCP OIDC token + contents: write # required for GitHub release creation in the reusable workflow uses: ./.github/workflows/build.yaml with: deploy: true - secrets: - credentials_json: ${{ secrets.GCP_CREDENTIALS }} diff --git a/.github/workflows/staging.yaml b/.github/workflows/staging.yaml index f903493d..5b70cc87 100644 --- a/.github/workflows/staging.yaml +++ b/.github/workflows/staging.yaml @@ -7,8 +7,9 @@ on: jobs: build: + permissions: + id-token: write # required so the reusable workflow can mint a GCP OIDC token + contents: write # required for GitHub release creation in the reusable workflow uses: ./.github/workflows/build.yaml with: deploy: false - secrets: - credentials_json: ${{ secrets.GCP_CREDENTIALS }}