Update gcp auth to Workload Identity (#6223)

## Motivation Enhance application security by migrating from service account key-based authentication to workload identity. This aligns with best practices for cloud-based applications. [WIF](https://cloud.google.com/iam/docs/workload-identity-federation) Co-authored-by: Matthias <[email protected]>
spacemeshos · Aug 17, 2024 · dfcb513 · dfcb513
1 parent a03ea8f
commit dfcb513
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 4 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -22,6 +22,9 @@ jobs:
             outname_sufix: "mac-arm64"
           - os: windows-2022
             outname_sufix: "win-amd64"
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     steps:
       - shell: bash
         run: echo "OUTNAME=go-spacemesh-${{ github.ref_name }}-${{ matrix.outname_sufix }}" >> $GITHUB_ENV
@@ -79,7 +82,10 @@ jobs:
       - name: Setup gcloud authentication
         uses: google-github-actions/auth@v2
         with:
-          credentials_json: '${{ secrets.GCP_SA_KEY }}'
+          project_id: ${{ secrets.GCP_WI_PROJECT_ID }}
+          workload_identity_provider: ${{ secrets.GCP_WI_PROVIDER_SA }}
+          service_account: ${{ secrets.GCP_WI_SA }} 
+          token_format: access_token
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v2
         with:
@@ -126,6 +132,9 @@ jobs:
   release:
     runs-on: ubuntu-22.04
     needs: build-and-upload
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     steps:
       - name: Download the artifacts
         uses: actions/download-artifact@v4
@@ -153,7 +162,10 @@ jobs:
       - name: Setup gcloud authentication
         uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_SA_KEY }}
+          project_id: ${{ secrets.GCP_WI_PROJECT_ID }}
+          workload_identity_provider: ${{ secrets.GCP_WI_PROVIDER_SA }}
+          service_account: ${{ secrets.GCP_WI_SA }} 
+          token_format: access_token
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v2
         with:

diff --git a/.github/workflows/systest.yml b/.github/workflows/systest.yml
@@ -58,6 +58,9 @@ jobs:
     needs:
       - filter-changes
     timeout-minutes: 70
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     steps:
       - uses: actions/checkout@v4
         with:
@@ -72,8 +75,10 @@ jobs:
       - name: Setup gcloud authentication
         uses: google-github-actions/auth@v2
         with:
-          # GCP_CREDENTIALS is minified JSON of service account
-          credentials_json: "${{ secrets.CI_GCP_CREDENTIALS }}"
+          project_id: ${{ secrets.GCP_WI_PROJECT_ID }}
+          workload_identity_provider: ${{ secrets.GCP_WI_PROVIDER_SA }}
+          service_account: ${{ secrets.GCP_WI_SA }} 
+          token_format: access_token
 
       - name: Configure gcloud
         uses: google-github-actions/setup-gcloud@v2