actions/auth
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Switch to pull non-secret values from env (#288)

Browse Source
This commit is contained in:
Seth Vargo 2023-03-24 16:43:00 -04:00 committed by GitHub
parent f8751d9c29
commit 430ae13d31
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
.github/workflows/test.yml vendored
View File

@ -70,7 +70,7 @@ jobs:
name: 'gcloud' name: 'gcloud'
shell: 'bash' shell: 'bash'
run: |- run: |-
gcloud secrets versions access "latest" --secret "${{ secrets.SECRET_NAME }}" gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
- id: 'auth-access-token' - id: 'auth-access-token'
name: 'auth-access-token' name: 'auth-access-token'
@ -83,7 +83,7 @@ jobs:
name: 'access-token' name: 'access-token'
shell: 'bash' shell: 'bash'
run: |- run: |-
curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ secrets.SECRET_NAME }}/versions/latest:access \ curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
--silent \ --silent \
--show-error \ --show-error \
--fail \ --fail \
@ -136,8 +136,8 @@ jobs:
name: 'auth-default' name: 'auth-default'
uses: './' uses: './'
with: with:
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}' workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
service_account: '${{ secrets.SERVICE_ACCOUNT_EMAIL }}' service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
- id: 'setup-gcloud' - id: 'setup-gcloud'
name: 'setup-gcloud' name: 'setup-gcloud'
@ -147,21 +147,21 @@ jobs:
name: 'gcloud' name: 'gcloud'
shell: 'bash' shell: 'bash'
run: |- run: |-
gcloud secrets versions access "latest" --secret "${{ secrets.SECRET_NAME }}" gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
- id: 'auth-access-token' - id: 'auth-access-token'
name: 'auth-access-token' name: 'auth-access-token'
uses: './' uses: './'
with: with:
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}' workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
service_account: '${{ secrets.SERVICE_ACCOUNT_EMAIL }}' service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
token_format: 'access_token' token_format: 'access_token'
- id: 'access-token' - id: 'access-token'
name: 'access-token' name: 'access-token'
shell: 'bash' shell: 'bash'
run: |- run: |-
curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ secrets.SECRET_NAME }}/versions/latest:access \ curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
--silent \ --silent \
--show-error \ --show-error \
--fail \ --fail \
@ -171,8 +171,8 @@ jobs:
name: 'auth-id-token' name: 'auth-id-token'
uses: './' uses: './'
with: with:
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}' workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
service_account: '${{ secrets.SERVICE_ACCOUNT_EMAIL }}' service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
token_format: 'id_token' token_format: 'id_token'
id_token_audience: 'https://secretmanager.googleapis.com/' id_token_audience: 'https://secretmanager.googleapis.com/'
id_token_include_email: true id_token_include_email: true
@ -184,8 +184,8 @@ jobs:
retries: '2' retries: '2'
backoff: '200' backoff: '200'
backoff_limit: '1000' backoff_limit: '1000'
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}' workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
service_account: '${{ secrets.SERVICE_ACCOUNT_EMAIL }}' service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
# This test ensures that the GOOGLE_APPLICATION_CREDENTIALS environment # This test ensures that the GOOGLE_APPLICATION_CREDENTIALS environment
# variable is shared with the container and that the path of the file is on # variable is shared with the container and that the path of the file is on