203 lines
5.4 KiB
YAML
203 lines
5.4 KiB
YAML
name: 'test'
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 'main'
|
|
pull_request:
|
|
branches:
|
|
- 'main'
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
unit:
|
|
name: 'unit'
|
|
runs-on: 'ubuntu-latest'
|
|
|
|
steps:
|
|
- uses: 'actions/checkout@v3'
|
|
|
|
- uses: 'actions/setup-node@v2'
|
|
with:
|
|
node-version: '16.x'
|
|
|
|
- name: 'npm build'
|
|
run: 'npm ci && npm run build'
|
|
|
|
- name: 'npm lint'
|
|
run: 'npm run lint'
|
|
|
|
- name: 'npm test'
|
|
run: 'npm run test'
|
|
|
|
|
|
credentials_json:
|
|
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
|
|
name: 'credentials_json'
|
|
runs-on: '${{ matrix.os }}'
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os:
|
|
- 'ubuntu-latest'
|
|
- 'windows-latest'
|
|
- 'macos-latest'
|
|
|
|
steps:
|
|
- uses: 'actions/checkout@v3'
|
|
|
|
- uses: 'actions/setup-node@v2'
|
|
with:
|
|
node-version: '16.x'
|
|
|
|
- name: 'npm build'
|
|
run: 'npm ci && npm run build'
|
|
|
|
- id: 'auth-default'
|
|
name: 'auth-default'
|
|
uses: './'
|
|
with:
|
|
credentials_json: '${{ secrets.AUTH_SA_KEY_JSON }}'
|
|
|
|
- id: 'setup-gcloud'
|
|
name: 'setup-gcloud'
|
|
uses: 'google-github-actions/setup-gcloud@main'
|
|
|
|
- id: 'gcloud'
|
|
name: 'gcloud'
|
|
shell: 'bash'
|
|
run: |-
|
|
gcloud secrets versions access "latest" --secret "${{ secrets.OIDC_AUTH_TEST_SECRET_NAME }}"
|
|
|
|
- id: 'auth-access-token'
|
|
name: 'auth-access-token'
|
|
uses: './'
|
|
with:
|
|
credentials_json: '${{ secrets.AUTH_SA_KEY_B64 }}'
|
|
token_format: 'access_token'
|
|
|
|
- id: 'access-token'
|
|
name: 'access-token'
|
|
shell: 'bash'
|
|
run: |-
|
|
curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ secrets.OIDC_AUTH_TEST_SECRET_NAME }}/versions/latest:access \
|
|
--silent \
|
|
--show-error \
|
|
--fail \
|
|
--header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
|
|
|
|
- id: 'auth-id-token'
|
|
name: 'auth-id-token'
|
|
uses: './'
|
|
with:
|
|
credentials_json: '${{ secrets.AUTH_SA_KEY_JSON }}'
|
|
token_format: 'id_token'
|
|
id_token_audience: 'https://secretmanager.googleapis.com/'
|
|
id_token_include_email: true
|
|
|
|
|
|
workload_identity_federation:
|
|
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
|
|
name: 'workload_identity_federation'
|
|
runs-on: '${{ matrix.os }}'
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os:
|
|
- 'ubuntu-latest'
|
|
- 'windows-latest'
|
|
- 'macos-latest'
|
|
|
|
permissions:
|
|
id-token: 'write'
|
|
|
|
steps:
|
|
- uses: 'actions/checkout@v3'
|
|
|
|
- uses: 'actions/setup-node@v2'
|
|
with:
|
|
node-version: '16.x'
|
|
|
|
- name: 'npm build'
|
|
run: 'npm ci && npm run build'
|
|
|
|
- id: 'auth-default'
|
|
name: 'auth-default'
|
|
uses: './'
|
|
with:
|
|
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
|
|
service_account: '${{ secrets.OIDC_AUTH_SA_EMAIL }}'
|
|
|
|
- id: 'setup-gcloud'
|
|
name: 'setup-gcloud'
|
|
uses: 'google-github-actions/setup-gcloud@main'
|
|
|
|
- id: 'gcloud'
|
|
name: 'gcloud'
|
|
shell: 'bash'
|
|
run: |-
|
|
gcloud secrets versions access "latest" --secret "${{ secrets.OIDC_AUTH_TEST_SECRET_NAME }}"
|
|
|
|
- id: 'auth-access-token'
|
|
name: 'auth-access-token'
|
|
uses: './'
|
|
with:
|
|
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
|
|
service_account: '${{ secrets.OIDC_AUTH_SA_EMAIL }}'
|
|
token_format: 'access_token'
|
|
|
|
- id: 'access-token'
|
|
name: 'access-token'
|
|
shell: 'bash'
|
|
run: |-
|
|
curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ secrets.OIDC_AUTH_TEST_SECRET_NAME }}/versions/latest:access \
|
|
--silent \
|
|
--show-error \
|
|
--fail \
|
|
--header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
|
|
|
|
- id: 'auth-id-token'
|
|
name: 'auth-id-token'
|
|
uses: './'
|
|
with:
|
|
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
|
|
service_account: '${{ secrets.OIDC_AUTH_SA_EMAIL }}'
|
|
token_format: 'id_token'
|
|
id_token_audience: 'https://secretmanager.googleapis.com/'
|
|
id_token_include_email: true
|
|
|
|
# This test ensures that the GOOGLE_APPLICATION_CREDENTIALS environment
|
|
# variable is shared with the container and that the path of the file is on
|
|
# the shared filesystem with the container and that the USER for the container
|
|
# has permissions to read the file.
|
|
docker:
|
|
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
|
|
name: 'docker'
|
|
runs-on: 'ubuntu-latest'
|
|
strategy:
|
|
fail-fast: false
|
|
steps:
|
|
- uses: 'actions/checkout@v3'
|
|
|
|
- uses: 'actions/setup-node@v2'
|
|
with:
|
|
node-version: '16.x'
|
|
|
|
- name: 'npm build'
|
|
run: 'npm ci && npm run build'
|
|
|
|
- name: 'auth-default'
|
|
uses: './'
|
|
with:
|
|
credentials_json: '${{ secrets.AUTH_SA_KEY_JSON }}'
|
|
|
|
- name: 'docker'
|
|
uses: 'docker://alpine:3'
|
|
with:
|
|
entrypoint: '/bin/sh'
|
|
args: '-euc "test -n "${GOOGLE_APPLICATION_CREDENTIALS}" && test -r "${GOOGLE_APPLICATION_CREDENTIALS}"'
|