Skip to content

Commit

Permalink
Add google/auth action (#3)
Browse files Browse the repository at this point in the history
* Add google/auth action

* Add request_reason to add info in Google Cloud audit logs

* pin version

* Add tests

* Fix path

* Use python to make it cross-platfrom compatible

* test

* Revert "test"

This reverts commit a5af32e.

* Prevent script injection

* Fix

* Refactor

* Update docs

* Fix heading levels
  • Loading branch information
reakaleek authored May 22, 2024
1 parent c1465c1 commit c38f68f
Show file tree
Hide file tree
Showing 3 changed files with 114 additions and 0 deletions.
34 changes: 34 additions & 0 deletions .github/workflows/test-google-auth.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: test-google-auth

on:
pull_request:
branches:
- main
paths:
- '.github/workflows/test-google-auth.yml'
- 'google/auth/**'
push:
branches:
- main
paths:
- '.github/workflows/test-google-auth.yml'
- 'google/auth/**'

permissions:
contents: read

jobs:
test-google-auth:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ./google/auth
id: google-auth
continue-on-error: true
with:
repository: elastic/dummy
- run: >
test
"projects/8560181848/locations/global/workloadIdentityPools/github/providers/repo-37af2ab116595bd21e72f6b8478"
=
"${{ steps.google-auth.outputs.workload-identity-provider }}"
31 changes: 31 additions & 0 deletions google/auth/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# google/auth

This is an opinionated GitHub Action to authenticate with GCP.
It generates a Workload Identity Pool Provider ID based on the repository name, which is compatible with the
GCP Workload Identity Pool Provider ID we use for Elastic Observability repositories.

## Inputs

| name | description | required | default |
|------------------|--------------------------------|----------|----------------------------|
| `project-number` | <p>The GCP project number</p> | `false` | `8560181848` |
| `repository` | <p>The repository name</p> | `false` | `${{ github.repository }}` |

## Outputs

| name | description |
|------------------------------|---------------------------------------------------------|
| `workload-identity-provider` | <p>The generated Workload Identity Pool Provider ID</p> |

## Usage

```yaml
jobs:
job_id:
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: 'actions/checkout@v4' # Checkout needs to happen before using this action
- uses: 'elastic/oblt-actions/google/auth@v1'
```
49 changes: 49 additions & 0 deletions google/auth/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: google/auth

description: |
This is an opinionated GitHub Action to authenticate with GCP.
It generates a Workload Identity Pool Provider ID based on the repository name, which is compatible with the
GCP Workload Identity Pool Provider ID we use for Elastic Observability repositories.
inputs:
project-number:
description: 'The GCP project number'
default: '8560181848'
repository:
description: 'The repository name'
default: ${{ github.repository }}

outputs:
workload-identity-provider:
value: ${{ steps.generate-workload-identity-pool-provider-id.outputs.workload_identity_provider_id }}
description: 'The generated Workload Identity Pool Provider ID'

runs:
using: composite
steps:
- name: Generate workloadIdentityPool provider ID
id: generate-workload-identity-pool-provider-id
run: |
import hashlib
import os
repository = os.environ['GH_REPOSITORY']
project_number = os.environ['PROJECT_NUMBER']
m = hashlib.sha256()
m.update(repository.encode('utf-8'))
hash = m.hexdigest()[:27]
id = f"projects/{project_number}/locations/global/workloadIdentityPools/github/providers/repo-{hash}"
with open(os.environ['GITHUB_OUTPUT'], 'a') as f:
f.write(f"workload_identity_provider_id={id}")
shell: python
env:
GH_REPOSITORY: ${{ inputs.repository }}
PROJECT_NUMBER: ${{ inputs.project-number }}
- uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
with:
project_id: 'elastic-observability'
workload_identity_provider: ${{ steps.generate-workload-identity-pool-provider-id.outputs.workload_identity_provider_id }}
request_reason: ${{ github.workflow_ref }}

0 comments on commit c38f68f

Please sign in to comment.