auth/.github/workflows/test.yaml

name: 'test'

on:
  push:
    branches:
    - 'main'
  pull_request:
    branches:
    - 'main'

jobs:
  unit:
    name: 'unit'
    runs-on: 'ubuntu-latest'

    steps:
    - uses: 'actions/checkout@v2'

    - uses: 'actions/setup-node@v2'
      with:
        node-version: '12.x'

    - name: 'npm install'
      run: 'npm install'

    - name: 'npm lint'
      run: 'npm run lint'

    - name: 'npm test'
      run: 'npm run test'


  credentials_json:
    name: 'credentials_json'
    runs-on: '${{ matrix.os }}'
    strategy:
      fail-fast: false
      matrix:
        os:
        - 'ubuntu-latest'
        - 'windows-latest'
        - 'macos-latest'

    steps:
    - uses: 'actions/checkout@v2'

    - uses: 'actions/setup-node@v2'
      with:
        node-version: '12.x'

    - id: 'auth-default'
      name: 'auth-default'
      uses: './'
      with:
        credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'

    - id: 'setup-gcloud'
      name: 'setup-gcloud'
      uses: 'google-github-actions/setup-gcloud@master'

    - id: 'gcloud'
      name: 'gcloud'
      shell: 'bash'
      run: |-
        gcloud secrets versions access "latest" --secret "my-secret"        

    - id: 'auth-access-token'
      name: 'auth-access-token'
      uses: './'
      with:
        credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'
        token_format: 'access_token'

    - id: 'access-token'
      name: 'access-token'
      shell: 'bash'
      run: |-
        curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/my-secret/versions/latest:access \
          --silent \
          --show-error \
          --fail \
          --header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"        

    - id: 'auth-id-token'
      name: 'auth-id-token'
      uses: './'
      with:
        credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'
        token_format: 'id_token'
        id_token_audience: 'https://secretmanager.googleapis.com/'
        id_token_include_email: true


  workload_identity_federation:
    name: 'workload_identity_federation'
    runs-on: '${{ matrix.os }}'
    strategy:
      fail-fast: false
      matrix:
        os:
        - 'ubuntu-latest'
        - 'windows-latest'
        - 'macos-latest'

    permissions:
      id-token: 'write'

    steps:
    - uses: 'actions/checkout@v2'

    - uses: 'actions/setup-node@v2'
      with:
        node-version: '12.x'

    - id: 'auth-default'
      name: 'auth-default'
      uses: './'
      with:
        workload_identity_provider: 'projects/469401941463/locations/global/workloadIdentityPools/github-actions/providers/google-github-actions'
        service_account: 'github-secret-accessor@actions-oidc-test.iam.gserviceaccount.com'

    - id: 'setup-gcloud'
      name: 'setup-gcloud'
      uses: 'google-github-actions/setup-gcloud@master'

    - id: 'gcloud'
      name: 'gcloud'
      shell: 'bash'
      run: |-
        gcloud secrets versions access "latest" --secret "my-secret"        

    - id: 'auth-access-token'
      name: 'auth-access-token'
      uses: './'
      with:
        workload_identity_provider: 'projects/469401941463/locations/global/workloadIdentityPools/github-actions/providers/google-github-actions'
        service_account: 'github-secret-accessor@actions-oidc-test.iam.gserviceaccount.com'
        token_format: 'access_token'

    - id: 'access-token'
      name: 'access-token'
      shell: 'bash'
      run: |-
        curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/my-secret/versions/latest:access \
          --silent \
          --show-error \
          --fail \
          --header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"        

    - id: 'auth-id-token'
      name: 'auth-id-token'
      uses: './'
      with:
        workload_identity_provider: 'projects/469401941463/locations/global/workloadIdentityPools/github-actions/providers/google-github-actions'
        service_account: 'github-secret-accessor@actions-oidc-test.iam.gserviceaccount.com'
        token_format: 'id_token'
        id_token_audience: 'https://secretmanager.googleapis.com/'
        id_token_include_email: true