refactor: remove fake google credentials

bazel-contrib · Jan 10, 2025 · 1ee4cc9 · 1ee4cc9
1 parent d4eb8b0
commit 1ee4cc9
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 13 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -28,10 +28,6 @@ jobs:
 
   e2e:
     runs-on: ubuntu-latest
-    # Don't run e2es on PRs from forks as it requires access to secrets
-    # when using `pull_request`.
-    # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests
-    if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'bazel-contrib/publish-to-bcr' }}
     steps:
       - uses: actions/checkout@v4
       - uses: pnpm/action-setup@v4
@@ -42,14 +38,5 @@ jobs:
         with:
           node-version: 20
           cache: pnpm
-      # Setup gcloud application default credentials. While the credentials are not actually
-      # used because Google api services are stubbed, instantiating any of the Google node
-      # clients requires the credentials file to exist and be valid.
-      - uses: "google-github-actions/auth@v2"
-        with:
-          credentials_json: "${{ secrets.GCP_CREDENTIALS }}"
-      - uses: google-github-actions/setup-gcloud@v2
-        with:
-          version: ">= 363.0.0"
       - run: pnpm install --frozen-lockfile
       - run: pnpm run e2e
diff --git a/package.json b/package.json
@@ -35,6 +35,7 @@
     "exponential-backoff": "3.1.1",
     "extract-zip": "^2.0.1",
     "gcp-metadata": "^6.0.0",
+    "google-auth-library": "^9.15.0",
     "nodemailer": "^6.7.8",
     "reflect-metadata": "^0.2.2",
     "rxjs": "7.8.1",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/infrastructure/secrets.ts b/src/infrastructure/secrets.ts
@@ -1,6 +1,7 @@
 import { SecretManagerServiceClient } from "@google-cloud/secret-manager";
 import { Injectable } from "@nestjs/common";
 import gcpMetadata from "gcp-metadata";
+import type { JSONClient } from "google-auth-library/build/src/auth/googleauth";
 
 @Injectable()
 export class SecretsClient {
@@ -15,6 +16,14 @@ export class SecretsClient {
         fallback: "rest",
         protocol: "http",
         port: Number(process.env.SECRET_MANAGER_PORT),
+        // Create a fake auth client to bypass checking for default credentials
+        authClient: {
+          getRequestHeaders(
+            url?: string
+          ): Promise<{ [index: string]: string }> {
+            return Promise.resolve({});
+          },
+        } as JSONClient,
       });
     } else {
       this.googleSecretsClient = new SecretManagerServiceClient();