actions/auth
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: allow opt-out of exporting environment variables (#157)

Browse Source 
This allows users to opt-out of exporting environment variables. This might be helpful if they **don't** want future steps to be authenticated, or if the exported environment variables conflict with other values.
This commit is contained in:
Seth Vargo 2022-03-24 17:02:18 -04:00 committed by GitHub
parent 38d3c2f54d
commit d16fd896f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 84 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@ -44,7 +44,7 @@ and permissions on Google Cloud.
# Ignore generated credentials from google-github-actions/auth # Ignore generated credentials from google-github-actions/auth
gha-creds-*.json gha-creds-*.json
``` ```
- This action runs using Node 16. If you are using self-hosted GitHub Actions - This action runs using Node 16. If you are using self-hosted GitHub Actions
runners, you must use runner version [2.285.0](https://github.com/actions/virtual-environments) runners, you must use runner version [2.285.0](https://github.com/actions/virtual-environments)
or newer. or newer.
@ -209,6 +209,27 @@ regardless of the authentication mechanism.
- uses: 'google-github-actions/auth@v0' - uses: 'google-github-actions/auth@v0'
``` ```
- `export_environment_variables`: (Optional) If true, the action will export
common environment variables which are known to be consumed by popular
downstream libraries and tools, including:
- `CLOUDSDK_PROJECT`
- `CLOUDSDK_CORE_PROJECT`
- `GCP_PROJECT`
- `GCLOUD_PROJECT`
- `GOOGLE_CLOUD_PROJECT`
If "create_credentials_file" is true, additional environment variables are
exported:
- `CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE`
- `GOOGLE_APPLICATION_CREDENTIALS`
- `GOOGLE_GHA_CREDS_PATH`
If false, the action will not export any environment variables, meaning
future steps are unlikely to be automatically authenticated to Google Cloud.
The default value is true.
- `delegates`: (Optional) List of additional service account emails or unique - `delegates`: (Optional) List of additional service account emails or unique
identities to use for impersonation in the chain. By default there are no identities to use for impersonation in the chain. By default there are no
delegates. delegates.

23
action.yml
View File

@ -58,6 +58,29 @@ inputs:
used for authentication via gcloud and Google Cloud SDKs. used for authentication via gcloud and Google Cloud SDKs.
default: true default: true
required: false required: false
export_environment_variables:
description: |-
If true, the action will export common environment variables which are
known to be consumed by popular downstream libraries and tools, including:
- CLOUDSDK_PROJECT
- CLOUDSDK_CORE_PROJECT
- GCP_PROJECT
- GCLOUD_PROJECT
- GOOGLE_CLOUD_PROJECT
If "create_credentials_file" is true, additional environment variables are
exported:
- CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE
- GOOGLE_APPLICATION_CREDENTIALS
- GOOGLE_GHA_CREDS_PATH
If false, the action will not export any environment variables, meaning
future steps are unlikely to be automatically authenticated to Google
Cloud.
default: true
required: false
token_format: token_format:
description: |- description: |-
Output format for the generated authentication token. For OAuth 2.0 access Output format for the generated authentication token. For OAuth 2.0 access

2
dist/main/index.js vendored
View File

File diff suppressed because one or more lines are too long

51
src/main.ts
View File

@ -59,6 +59,7 @@ async function run(): Promise<void> {
getInput('audience') || `https://iam.googleapis.com/${workloadIdentityProvider}`; getInput('audience') || `https://iam.googleapis.com/${workloadIdentityProvider}`;
const credentialsJSON = getInput('credentials_json'); const credentialsJSON = getInput('credentials_json');
const createCredentialsFile = getBooleanInput('create_credentials_file'); const createCredentialsFile = getBooleanInput('create_credentials_file');
const exportEnvironmentVariables = getBooleanInput('export_environment_variables');
const tokenFormat = getInput('token_format'); const tokenFormat = getInput('token_format');
const delegates = parseCSV(getInput('delegates')); const delegates = parseCSV(getInput('delegates'));
@ -163,26 +164,32 @@ async function run(): Promise<void> {
// Output to be available to future steps. // Output to be available to future steps.
setOutput('credentials_file_path', credentialsPath); setOutput('credentials_file_path', credentialsPath);
// CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE is picked up by gcloud to use if (exportEnvironmentVariables) {
// a specific credential file (subject to change and equivalent to auth/credential_file_override) // CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE is picked up by gcloud to
exportVariable('CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE', credentialsPath); // use a specific credential file (subject to change and equivalent to
// auth/credential_file_override).
exportVariableAndWarn('CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE', credentialsPath);
// GOOGLE_APPLICATION_CREDENTIALS is used by Application Default Credentials // GOOGLE_APPLICATION_CREDENTIALS is used by Application Default
// in all GCP client libraries // Credentials in all GCP client libraries.
exportVariable('GOOGLE_APPLICATION_CREDENTIALS', credentialsPath); exportVariableAndWarn('GOOGLE_APPLICATION_CREDENTIALS', credentialsPath);
// GOOGLE_GHA_CREDS_PATH is used by other Google GitHub Actions // GOOGLE_GHA_CREDS_PATH is used by other Google GitHub Actions.
exportVariable('GOOGLE_GHA_CREDS_PATH', credentialsPath); exportVariableAndWarn('GOOGLE_GHA_CREDS_PATH', credentialsPath);
}
} }
// Set the project ID environment variables to the computed values. // Set the project ID environment variables to the computed values.
const computedProjectID = await client.getProjectID(); const computedProjectID = await client.getProjectID();
setOutput('project_id', computedProjectID); setOutput('project_id', computedProjectID);
exportVariable('CLOUDSDK_PROJECT', computedProjectID);
exportVariable('CLOUDSDK_CORE_PROJECT', computedProjectID); if (exportEnvironmentVariables) {
exportVariable('GCP_PROJECT', computedProjectID); exportVariableAndWarn('CLOUDSDK_CORE_PROJECT', computedProjectID);
exportVariable('GCLOUD_PROJECT', computedProjectID); exportVariableAndWarn('CLOUDSDK_PROJECT', computedProjectID);
exportVariable('GOOGLE_CLOUD_PROJECT', computedProjectID); exportVariableAndWarn('GCLOUD_PROJECT', computedProjectID);
exportVariableAndWarn('GCP_PROJECT', computedProjectID);
exportVariableAndWarn('GOOGLE_CLOUD_PROJECT', computedProjectID);
}
switch (tokenFormat) { switch (tokenFormat) {
case '': { case '': {
@ -261,4 +268,22 @@ async function run(): Promise<void> {
} }
} }
/**
* exportVariableAndWarn exports the given key as an environment variable set to
* the provided value. If a value already exists, it is overwritten and an
* warning is emitted.
*
* @param key Environment variable key.
* @param value Environment variable value.
*/
function exportVariableAndWarn(key: string, value: string) {
const existing = process.env[key];
if (existing) {
const old = JSON.stringify(existing);
logWarning(`Overwriting existing environment variable ${key} (was: ${old})`);
}
exportVariable(key, value);
}
run(); run();