diff --git a/.github/workflows/test-google-auth.yml b/.github/workflows/test-google-auth.yml new file mode 100644 index 00000000..a4a5771b --- /dev/null +++ b/.github/workflows/test-google-auth.yml @@ -0,0 +1,34 @@ +name: test-google-auth + +on: + pull_request: + branches: + - main + paths: + - '.github/workflows/test-google-auth.yml' + - 'google/auth/**' + push: + branches: + - main + paths: + - '.github/workflows/test-google-auth.yml' + - 'google/auth/**' + +permissions: + contents: read + +jobs: + test-google-auth: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ./google/auth + id: google-auth + continue-on-error: true + with: + repository: elastic/dummy + - run: > + test + "projects/8560181848/locations/global/workloadIdentityPools/github/providers/repo-37af2ab116595bd21e72f6b8478" + = + "${{ steps.google-auth.outputs.workload-identity-provider }}" diff --git a/google/auth/README.md b/google/auth/README.md new file mode 100644 index 00000000..334d5c22 --- /dev/null +++ b/google/auth/README.md @@ -0,0 +1,31 @@ +# google/auth + +This is an opinionated GitHub Action to authenticate with GCP. +It generates a Workload Identity Pool Provider ID based on the repository name, which is compatible with the +GCP Workload Identity Pool Provider ID we use for Elastic Observability repositories. + +## Inputs + +| name | description | required | default | +|------------------|--------------------------------|----------|----------------------------| +| `project-number` |

The GCP project number

| `false` | `8560181848` | +| `repository` |

The repository name

| `false` | `${{ github.repository }}` | + +## Outputs + +| name | description | +|------------------------------|---------------------------------------------------------| +| `workload-identity-provider` |

The generated Workload Identity Pool Provider ID

| + +## Usage + +```yaml +jobs: + job_id: + permissions: + contents: 'read' + id-token: 'write' + steps: + - uses: 'actions/checkout@v4' # Checkout needs to happen before using this action + - uses: 'elastic/oblt-actions/google/auth@v1' +``` diff --git a/google/auth/action.yml b/google/auth/action.yml new file mode 100644 index 00000000..b0e0a4bf --- /dev/null +++ b/google/auth/action.yml @@ -0,0 +1,49 @@ +name: google/auth + +description: | + This is an opinionated GitHub Action to authenticate with GCP. + It generates a Workload Identity Pool Provider ID based on the repository name, which is compatible with the + GCP Workload Identity Pool Provider ID we use for Elastic Observability repositories. + +inputs: + project-number: + description: 'The GCP project number' + default: '8560181848' + repository: + description: 'The repository name' + default: ${{ github.repository }} + +outputs: + workload-identity-provider: + value: ${{ steps.generate-workload-identity-pool-provider-id.outputs.workload_identity_provider_id }} + description: 'The generated Workload Identity Pool Provider ID' + +runs: + using: composite + steps: + - name: Generate workloadIdentityPool provider ID + id: generate-workload-identity-pool-provider-id + run: | + import hashlib + import os + + repository = os.environ['GH_REPOSITORY'] + project_number = os.environ['PROJECT_NUMBER'] + + m = hashlib.sha256() + m.update(repository.encode('utf-8')) + hash = m.hexdigest()[:27] + id = f"projects/{project_number}/locations/global/workloadIdentityPools/github/providers/repo-{hash}" + + with open(os.environ['GITHUB_OUTPUT'], 'a') as f: + f.write(f"workload_identity_provider_id={id}") + + shell: python + env: + GH_REPOSITORY: ${{ inputs.repository }} + PROJECT_NUMBER: ${{ inputs.project-number }} + - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 + with: + project_id: 'elastic-observability' + workload_identity_provider: ${{ steps.generate-workload-identity-pool-provider-id.outputs.workload_identity_provider_id }} + request_reason: ${{ github.workflow_ref }}