From ba0cee56484977d7d95b43cd8925fb15e99cf295 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Mon, 21 Oct 2024 09:48:57 -0400
Subject: [PATCH] ci(google-auth): use workload identity federation instead of
 json

---
 .github/workflows/ci-data.yml             |  2 +-
 .github/workflows/ibis-backends-cloud.yml | 14 ++++++++------
 .github/workflows/ibis-benchmarks.yml     |  2 +-
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci-data.yml b/.github/workflows/ci-data.yml
index 1af8e145b7f3..053f1fa0b9cd 100644
--- a/.github/workflows/ci-data.yml
+++ b/.github/workflows/ci-data.yml
@@ -42,7 +42,7 @@ jobs:
 
       - uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_CREDENTIALS }}
+          workload_identity_provider: "${{ secrets.WIF_PROVIDER_NAME }}"
 
       - uses: google-github-actions/setup-gcloud@v2
 
diff --git a/.github/workflows/ibis-backends-cloud.yml b/.github/workflows/ibis-backends-cloud.yml
index 40eab1c9bde8..1269b594ae34 100644
--- a/.github/workflows/ibis-backends-cloud.yml
+++ b/.github/workflows/ibis-backends-cloud.yml
@@ -15,11 +15,6 @@ on:
     types:
       - labeled
 
-permissions:
-  # this allows extractions/setup-just to list releases for `just` at a higher
-  # rate limit while restricting GITHUB_TOKEN permissions elsewhere
-  contents: read
-
 env:
   FORCE_COLOR: "1"
   SQLALCHEMY_WARN_20: "1"
@@ -75,6 +70,13 @@ jobs:
               key: snowpark
               extras:
                 - snowflake
+    # this allows extractions/setup-just to list releases for `just` at a higher
+    # rate limit while restricting GITHUB_TOKEN permissions elsewhere
+    permissions:
+      contents: "read"
+      # required for GCP workload identity federation
+      id-token: "write"
+
     steps:
       - name: checkout
         uses: actions/checkout@v4
@@ -125,7 +127,7 @@ jobs:
 
       - uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_CREDENTIALS }}
+          workload_identity_provider: "${{ secrets.WIF_PROVIDER_NAME }}"
 
       - name: setup snowflake credentials
         if: matrix.backend.name == 'snowflake'
diff --git a/.github/workflows/ibis-benchmarks.yml b/.github/workflows/ibis-benchmarks.yml
index 2430b294fd9d..8066870f158e 100644
--- a/.github/workflows/ibis-benchmarks.yml
+++ b/.github/workflows/ibis-benchmarks.yml
@@ -46,7 +46,7 @@ jobs:
 
       - uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_CREDENTIALS }}
+          workload_identity_provider: "${{ secrets.WIF_PROVIDER_NAME }}"
 
       - uses: google-github-actions/setup-gcloud@v2