use workload identity provider instead of service account

talmolab · Nov 19, 2024 · a990f77 · a990f77
1 parent 311c63a
commit a990f77
Showing 1 changed file with 12 additions and 10 deletions.
diff --git a/.github/workflows/build-and-test-pip.yml b/.github/workflows/build-and-test-pip.yml
@@ -2,22 +2,27 @@ name: Build and Test
 
 on:
   pull_request:
-      types: [opened, synchronize, reopened]
-
+    types: [opened, synchronize, reopened]
 
 jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+      contents: read
+
     steps:
     - name: Checkout code
       uses: actions/checkout@v4
 
-    - name: Set up Google Cloud credentials
-      env:
-        GOOGLE_APPLICATION_CREDENTIALS: ${{ runner.temp }}/gcloud-key.json
+    - name: Authenticate to Google Cloud
+      id: auth
       run: |
-        echo "${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_JSON }}" > $GOOGLE_APPLICATION_CREDENTIALS
+        gcloud auth login --brief
+      env:
+        GCP_WORKLOAD_IDENTITY_PROVIDER: projects/${{ secrets.GCP_PROJECT_ID }}/locations/global/workloadIdentityPools/${{ secrets.GCP_POOL_ID }}/providers/${{ secrets.GCP_PROVIDER_ID }}
+        GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}
 
     - name: Set up Python
       uses: actions/setup-python@v5
@@ -40,7 +45,4 @@ jobs:
 
     - name: Run tests
       run: |
-        pytest tests/
-
-    - name: Clean up credentials
-      run: rm -f $GOOGLE_APPLICATION_CREDENTIALS
+        pytest tests/