-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add google/auth action * Add request_reason to add info in Google Cloud audit logs * pin version * Add tests * Fix path * Use python to make it cross-platfrom compatible * test * Revert "test" This reverts commit a5af32e. * Prevent script injection * Fix * Refactor * Update docs * Fix heading levels
- Loading branch information
Showing
3 changed files
with
114 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
name: test-google-auth | ||
|
||
on: | ||
pull_request: | ||
branches: | ||
- main | ||
paths: | ||
- '.github/workflows/test-google-auth.yml' | ||
- 'google/auth/**' | ||
push: | ||
branches: | ||
- main | ||
paths: | ||
- '.github/workflows/test-google-auth.yml' | ||
- 'google/auth/**' | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
test-google-auth: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- uses: ./google/auth | ||
id: google-auth | ||
continue-on-error: true | ||
with: | ||
repository: elastic/dummy | ||
- run: > | ||
test | ||
"projects/8560181848/locations/global/workloadIdentityPools/github/providers/repo-37af2ab116595bd21e72f6b8478" | ||
= | ||
"${{ steps.google-auth.outputs.workload-identity-provider }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# google/auth | ||
|
||
This is an opinionated GitHub Action to authenticate with GCP. | ||
It generates a Workload Identity Pool Provider ID based on the repository name, which is compatible with the | ||
GCP Workload Identity Pool Provider ID we use for Elastic Observability repositories. | ||
|
||
## Inputs | ||
|
||
| name | description | required | default | | ||
|------------------|--------------------------------|----------|----------------------------| | ||
| `project-number` | <p>The GCP project number</p> | `false` | `8560181848` | | ||
| `repository` | <p>The repository name</p> | `false` | `${{ github.repository }}` | | ||
|
||
## Outputs | ||
|
||
| name | description | | ||
|------------------------------|---------------------------------------------------------| | ||
| `workload-identity-provider` | <p>The generated Workload Identity Pool Provider ID</p> | | ||
|
||
## Usage | ||
|
||
```yaml | ||
jobs: | ||
job_id: | ||
permissions: | ||
contents: 'read' | ||
id-token: 'write' | ||
steps: | ||
- uses: 'actions/checkout@v4' # Checkout needs to happen before using this action | ||
- uses: 'elastic/oblt-actions/google/auth@v1' | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
name: google/auth | ||
|
||
description: | | ||
This is an opinionated GitHub Action to authenticate with GCP. | ||
It generates a Workload Identity Pool Provider ID based on the repository name, which is compatible with the | ||
GCP Workload Identity Pool Provider ID we use for Elastic Observability repositories. | ||
inputs: | ||
project-number: | ||
description: 'The GCP project number' | ||
default: '8560181848' | ||
repository: | ||
description: 'The repository name' | ||
default: ${{ github.repository }} | ||
|
||
outputs: | ||
workload-identity-provider: | ||
value: ${{ steps.generate-workload-identity-pool-provider-id.outputs.workload_identity_provider_id }} | ||
description: 'The generated Workload Identity Pool Provider ID' | ||
|
||
runs: | ||
using: composite | ||
steps: | ||
- name: Generate workloadIdentityPool provider ID | ||
id: generate-workload-identity-pool-provider-id | ||
run: | | ||
import hashlib | ||
import os | ||
repository = os.environ['GH_REPOSITORY'] | ||
project_number = os.environ['PROJECT_NUMBER'] | ||
m = hashlib.sha256() | ||
m.update(repository.encode('utf-8')) | ||
hash = m.hexdigest()[:27] | ||
id = f"projects/{project_number}/locations/global/workloadIdentityPools/github/providers/repo-{hash}" | ||
with open(os.environ['GITHUB_OUTPUT'], 'a') as f: | ||
f.write(f"workload_identity_provider_id={id}") | ||
shell: python | ||
env: | ||
GH_REPOSITORY: ${{ inputs.repository }} | ||
PROJECT_NUMBER: ${{ inputs.project-number }} | ||
- uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 | ||
with: | ||
project_id: 'elastic-observability' | ||
workload_identity_provider: ${{ steps.generate-workload-identity-pool-provider-id.outputs.workload_identity_provider_id }} | ||
request_reason: ${{ github.workflow_ref }} |