refactor(ci): use GitHub variables for non-sensitive info (#6357)

* refactor(ci): use GitHub secrets and variables

We've been using values that are variable across multiple workflows,
and those can only be changed if modifying the workflows, but we should
be able to change the values without committing new changes in the code
for this purpose we're now using GitHub Variables, and even moving
non-sensitive information into variables instead of secrets. Allowing
more flexibility and other scenarios that should be easier to manage,
like deploying to Mainnet or Testnet.

* refactor(ci): use new GitHub variables for GCP auth

* fix(ci): typo

* fix(ci): do not use multiple variables for the same value

* fix(ci): typo in variable

* fix(vars): use different variables for machine types

* fix(vars): missing substitution

* fix: typo

* fix: make the input CI network override the default network

* Use the correct network variable for creating disks

---------

Co-authored-by: teor <teor@riseup.net>

.github/workflows/build-crates-individually.yml

@@ -37,11 +37,11 @@ on:
       - '.github/workflows/build-crates-individually.yml'
 
 env:
-  CARGO_INCREMENTAL: 0
+  CARGO_INCREMENTAL: ${{ vars.CARGO_INCREMENTAL }}
-  RUST_LOG: info
+  RUST_LOG: ${{ vars.RUST_LOG }}
-  RUST_BACKTRACE: full
+  RUST_BACKTRACE: ${{ vars.RUST_BACKTRACE }}
-  RUST_LIB_BACKTRACE: full
+  RUST_LIB_BACKTRACE: ${{ vars.RUST_LIB_BACKTRACE }}
-  COLORBT_SHOW_HIDDEN: '1'
+  COLORBT_SHOW_HIDDEN: ${{ vars.COLORBT_SHOW_HIDDEN }}
 
 jobs:
   matrix:

.github/workflows/build-docker-image.yml

@@ -84,7 +84,7 @@ jobs:
         with:
           # list of Docker images to use as base name for tags
           images: |
-            us-docker.pkg.dev/zealous-zebra/zebra/${{ inputs.image_name }}
+            us-docker.pkg.dev/${{ vars.GCP_PROJECT }}/zebra/${{ inputs.image_name }}
             zfnd/zebra,enable=${{ github.event_name == 'release' && !github.event.release.prerelease }}
           # appends inputs.tag_suffix to image tags/names
           flavor: |
@@ -119,8 +119,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_ARTIFACTS_SA }}'
           token_format: 'access_token'
           # Some builds might take over an hour, and Google's default lifetime duration for
           # an access token is 1 hour (3600s). We increase this to 3 hours (10800s)
@@ -177,7 +177,7 @@ jobs:
           # The caches are tried in top-down order, the first available cache is used:
           # https://github.com/moby/moby/pull/26839#issuecomment-277383550
           cache-from: |
-            type=registry,ref=us-docker.pkg.dev/zealous-zebra/zebra-caching/${{ inputs.image_name }}${{ inputs.tag_suffix }}:${{ env.GITHUB_REF_SLUG_URL }}-cache
+            type=registry,ref=us-docker.pkg.dev/${{ vars.GCP_PROJECT }}/zebra-caching/${{ inputs.image_name }}${{ inputs.tag_suffix }}:${{ env.GITHUB_REF_SLUG_URL }}-cache
-            type=registry,ref=us-docker.pkg.dev/zealous-zebra/zebra-caching/${{ inputs.image_name }}${{ inputs.tag_suffix }}:main-cache
+            type=registry,ref=us-docker.pkg.dev/${{ vars.GCP_PROJECT }}/zebra-caching/${{ inputs.image_name }}${{ inputs.tag_suffix }}:main-cache
           cache-to: |
-            type=registry,ref=us-docker.pkg.dev/zealous-zebra/zebra-caching/${{ inputs.image_name }}${{ inputs.tag_suffix }}:${{ env.GITHUB_REF_SLUG_URL }}-cache,mode=max
+            type=registry,ref=us-docker.pkg.dev/${{ vars.GCP_PROJECT }}/zebra-caching/${{ inputs.image_name }}${{ inputs.tag_suffix }}:${{ env.GITHUB_REF_SLUG_URL }}-cache,mode=max

.github/workflows/continous-delivery.yml

@@ -25,12 +25,6 @@ on:
     types:
       - published
 
-env:
-  GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
-  REGION: us-central1
-  ZONE: us-central1-a
-  MACHINE_TYPE: c2-standard-4
-
 jobs:
   # If a release was made we want to extract the first part of the semver from the
   # tag_name
@@ -92,8 +86,8 @@ jobs:
       - name: Run tests using the default config
         run: |
           set -ex
-          docker pull ${{ env.GAR_BASE }}/zebrad@${{ needs.build.outputs.image_digest }}
+          docker pull ${{ vars.GAR_BASE }}/zebrad@${{ needs.build.outputs.image_digest }}
-          docker run --detach --name default-conf-tests -t ${{ env.GAR_BASE }}/zebrad@${{ needs.build.outputs.image_digest }}
+          docker run --detach --name default-conf-tests -t ${{ vars.GAR_BASE }}/zebrad@${{ needs.build.outputs.image_digest }}
           EXIT_STATUS=$(docker logs --tail all --follow default-conf-tests 2>&1 | grep -q --extended-regexp --max-count=1 -e 'estimated progress to chain tip.*BeforeOverwinter'; echo $?; )
           docker stop default-conf-tests
           docker logs default-conf-tests
@@ -147,8 +141,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -161,10 +155,10 @@ jobs:
           --boot-disk-type=pd-ssd \
           --image-project=cos-cloud \
           --image-family=cos-stable \
-          --container-image ${{ env.GAR_BASE }}/zebrad@${{ needs.build.outputs.image_digest }} \
+          --container-image ${{ vars.GAR_BASE }}/zebrad@${{ needs.build.outputs.image_digest }} \
           --create-disk=name=zebrad-cache-${{ env.GITHUB_SHA_SHORT }},auto-delete=yes,size=300GB,type=pd-ssd \
           --container-mount-disk=mount-path="/zebrad-cache",name=zebrad-cache-${{ env.GITHUB_SHA_SHORT }} \
-          --machine-type ${{ env.MACHINE_TYPE }} \
+          --machine-type ${{ vars.GCP_SMALL_MACHINE }} \
           --scopes cloud-platform \
           --labels=app=zebrad,environment=prod,network=${NETWORK},github_ref=${{ env.GITHUB_REF_SLUG_URL }} \
           --tags zebrad
@@ -174,7 +168,7 @@ jobs:
         id: does-group-exist
         continue-on-error: true
         run: |
-          gcloud compute instance-groups list | grep "zebrad-${{ needs.versioning.outputs.major_version || env.GITHUB_REF_SLUG_URL }}" | grep "${{ env.REGION }}"
+          gcloud compute instance-groups list | grep "zebrad-${{ needs.versioning.outputs.major_version || env.GITHUB_REF_SLUG_URL }}" | grep "${{ vars.GCP_REGION }}"
 
       # Deploy new managed instance group using the new instance template
       - name: Create managed instance group
@@ -185,7 +179,7 @@ jobs:
           --template "zebrad-${{ needs.versioning.outputs.major_version || env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }}" \
           --health-check zebrad-tracing-filter \
           --initial-delay 30 \
-          --region "${{ env.REGION }}" \
+          --region "${{ vars.GCP_REGION }}" \
           --size 1
 
       # Rolls out update to existing group using the new instance template
@@ -195,7 +189,7 @@ jobs:
           gcloud compute instance-groups managed rolling-action start-update \
           "zebrad-${{ needs.versioning.outputs.major_version || env.GITHUB_REF_SLUG_URL }}" \
           --version template="zebrad-${{ needs.versioning.outputs.major_version || env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }}" \
-          --region "${{ env.REGION }}"
+          --region "${{ vars.GCP_REGION }}"
 
   # This jobs handles the deployment of a single node (1) in the us-central1-a zone
   # when an instance is required to test a specific commit
@@ -230,8 +224,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -246,11 +240,11 @@ jobs:
           --image-family=cos-stable \
           --container-stdin \
           --container-tty \
-          --container-image ${{ env.GAR_BASE }}/zebrad@${{ needs.build.outputs.image_digest }} \
+          --container-image ${{ vars.GAR_BASE }}/zebrad@${{ needs.build.outputs.image_digest }} \
           --create-disk=auto-delete=yes,size=300GB,type=pd-ssd \
           --create-disk=name=zebrad-cache-${{ env.GITHUB_SHA_SHORT }},auto-delete=yes,size=300GB,type=pd-ssd \
           --container-mount-disk=mount-path='/zebrad-cache',name=zebrad-cache-${{ env.GITHUB_SHA_SHORT }} \
-          --machine-type ${{ env.MACHINE_TYPE }} \
+          --machine-type ${{ vars.GCP_SMALL_MACHINE }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --labels=app=zebrad,environment=qa,network=${NETWORK},github_ref=${{ env.GITHUB_REF_SLUG_URL }} \
           --tags zebrad

.github/workflows/continous-integration-docker.yml

@@ -76,13 +76,6 @@ on:
       - '.github/workflows/deploy-gcp-tests.yml'
       - '.github/workflows/build-docker-image.yml'
 
-env:
-  # TODO: use the output from ./.github/workflows/build-docker-image.yml
-  IMAGE_NAME: zebrad-test
-  GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
-  # TODO: use environmental secrets for dynamic values
-  NETWORK: Mainnet
-
 jobs:
   get-available-disks:
     runs-on: ubuntu-latest
@@ -106,19 +99,19 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
 
       # Disk images in GCP are required to be in lowercase, but the blockchain network
-      # uses sentence case, so we need to downcase ${{ env.NETWORK or github.event.inputs.network }}
+      # uses sentence case, so we need to downcase ${{ vars.ZCASH_NETWORK or github.event.inputs.network }}
       #
       # Passes a lowercase Network name to subsequent steps using $NETWORK env variable
       - name: Downcase network name for disks
         run: |
-          NETWORK_CAPS=${{ env.NETWORK || github.event.inputs.network }}
+          NETWORK_CAPS=${{ github.event.inputs.network || vars.ZCASH_NETWORK }}
           echo "NETWORK=${NETWORK_CAPS,,}" >> $GITHUB_ENV
 
       # Find a cached state disk for subsequent jobs needing a cached state without
@@ -169,9 +162,9 @@ jobs:
     with:
       dockerfile_path: ./docker/Dockerfile
       dockerfile_target: tests
-      image_name: zebrad-test
+      image_name: ${{ vars.CI_IMAGE_NAME }}
-      # TODO: validate how to use variable/conditional values for Testnet
+      # The default network in the image is based on the default network variable in GitHub
-      network: Mainnet
+      network: ${{ vars.ZCASH_NETWORK }}
       checkpoint_sync: true
       rust_backtrace: full
       rust_lib_backtrace: full
@@ -204,8 +197,8 @@ jobs:
       # If some tests hang, add "-- --nocapture" for just that test, or for all the tests.
       - name: Run zebrad tests
         run: |
-          docker pull ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
+          docker pull ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
-          docker run --name zebrad-tests --tty ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} cargo test --locked --release --features "lightwalletd-grpc-tests" --workspace -- --include-ignored
+          docker run --name zebrad-tests --tty ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} cargo test --locked --release --features "lightwalletd-grpc-tests" --workspace -- --include-ignored
 
   # zebrad tests without cached state with `getblocktemplate-rpcs` feature
   #
@@ -223,8 +216,8 @@ jobs:
 
       - name: Run zebrad tests
         run: |
-          docker pull ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
+          docker pull ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
-          docker run --name zebrad-tests --tty ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} cargo test --locked --release --features "lightwalletd-grpc-tests getblocktemplate-rpcs" --workspace -- --include-ignored
+          docker run --name zebrad-tests --tty ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} cargo test --locked --release --features "lightwalletd-grpc-tests getblocktemplate-rpcs" --workspace -- --include-ignored
 
   # Run state tests with fake activation heights.
   #
@@ -248,8 +241,8 @@ jobs:
 
       - name: Run tests with fake activation heights
         run: |
-          docker pull ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
+          docker pull ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
-          docker run -e TEST_FAKE_ACTIVATION_HEIGHTS --name zebrad-tests -t ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} cargo test --locked --release --package zebra-state --lib -- --nocapture --include-ignored with_fake_activation_heights
+          docker run -e TEST_FAKE_ACTIVATION_HEIGHTS --name zebrad-tests -t ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} cargo test --locked --release --package zebra-state --lib -- --nocapture --include-ignored with_fake_activation_heights
         env:
           TEST_FAKE_ACTIVATION_HEIGHTS: '1'
 
@@ -269,8 +262,8 @@ jobs:
 
       - name: Run zebrad large sync tests
         run: |
-          docker pull ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
+          docker pull ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
-          docker run --name zebrad-tests -t ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} cargo test --locked --release --features lightwalletd-grpc-tests --package zebrad --test acceptance -- --nocapture --include-ignored sync_large_checkpoints_
+          docker run --name zebrad-tests -t ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} cargo test --locked --release --features lightwalletd-grpc-tests --package zebrad --test acceptance -- --nocapture --include-ignored sync_large_checkpoints_
 
   # Test launching lightwalletd with an empty lightwalletd and Zebra state.
   #
@@ -288,8 +281,8 @@ jobs:
 
       - name: Run tests with empty lightwalletd launch
         run: |
-          docker pull ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
+          docker pull ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
-          docker run -e ZEBRA_TEST_LIGHTWALLETD --name lightwalletd-tests -t ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} cargo test --locked --release --features lightwalletd-grpc-tests --package zebrad --test acceptance -- --nocapture --include-ignored lightwalletd_integration
+          docker run -e ZEBRA_TEST_LIGHTWALLETD --name lightwalletd-tests -t ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} cargo test --locked --release --features lightwalletd-grpc-tests --package zebrad --test acceptance -- --nocapture --include-ignored lightwalletd_integration
         env:
           ZEBRA_TEST_LIGHTWALLETD: '1'
 
@@ -309,8 +302,8 @@ jobs:
       - name: Run tests using the default config
         run: |
           set -ex
-          docker pull ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
+          docker pull ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
-          docker run --detach --name default-conf-tests -t ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} zebrad start
+          docker run --detach --name default-conf-tests -t ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} zebrad start
           EXIT_STATUS=$(docker logs --tail all --follow default-conf-tests 2>&1 | grep -q --extended-regexp --max-count=1 -e 'estimated progress to chain tip.*BeforeOverwinter'; echo $?; )
           docker stop default-conf-tests
           docker logs default-conf-tests
@@ -332,8 +325,8 @@ jobs:
       - name: Run tests using the $ZEBRA_CONF_PATH
         run: |
           set -ex
-          docker pull ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
+          docker pull ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }}
-          docker run --detach -e ZEBRA_CONF_PATH --name variable-conf-tests -t ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} -c $ZEBRA_CONF_PATH start
+          docker run --detach -e ZEBRA_CONF_PATH --name variable-conf-tests -t ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} -c $ZEBRA_CONF_PATH start
           EXIT_STATUS=$(docker logs --tail all --follow variable-conf-tests 2>&1 | grep -q --extended-regexp --max-count=1 -e 'v1.0.0-rc.2.toml'; echo $?; )
           docker stop variable-conf-tests
           docker logs variable-conf-tests

.github/workflows/continous-integration-os.yml

@@ -51,11 +51,11 @@ on:
       - '.github/workflows/continous-integration-os.yml'
 
 env:
-  CARGO_INCREMENTAL: 0
+  CARGO_INCREMENTAL: ${{ vars.CARGO_INCREMENTAL }}
-  RUST_LOG: info
+  RUST_LOG: ${{ vars.RUST_LOG }}
-  RUST_BACKTRACE: full
+  RUST_BACKTRACE: ${{ vars.RUST_BACKTRACE }}
-  RUST_LIB_BACKTRACE: full
+  RUST_LIB_BACKTRACE: ${{ vars.RUST_LIB_BACKTRACE }}
-  COLORBT_SHOW_HIDDEN: '1'
+  COLORBT_SHOW_HIDDEN: ${{ vars.COLORBT_SHOW_HIDDEN }}
 
 jobs:
   test:

.github/workflows/coverage.yml

@@ -41,11 +41,11 @@ on:
       - '.github/workflows/coverage.yml'
 
 env:
-  CARGO_INCREMENTAL: 0
+  CARGO_INCREMENTAL: ${{ vars.CARGO_INCREMENTAL }}
-  RUST_LOG: info
+  RUST_LOG: ${{ vars.RUST_LOG }}
-  RUST_BACKTRACE: full
+  RUST_BACKTRACE: ${{ vars.RUST_BACKTRACE }}
-  RUST_LIB_BACKTRACE: full
+  RUST_LIB_BACKTRACE: ${{ vars.RUST_LIB_BACKTRACE }}
-  COLORBT_SHOW_HIDDEN: '1'
+  COLORBT_SHOW_HIDDEN: ${{ vars.COLORBT_SHOW_HIDDEN }}
 
 jobs:
   coverage:

.github/workflows/delete-gcp-resources.yml

@@ -40,8 +40,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -192,8 +192,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
           token_format: 'access_token'
 
       - name: Login to Google Artifact Registry
@@ -210,7 +210,7 @@ jobs:
         # https://github.com/GoogleCloudPlatform/gcr-cleaner
         with:
           args: >-
-            -repo=us-docker.pkg.dev/zealous-zebra/zebra/zebrad-test
+            -repo=us-docker.pkg.dev/${{ vars.GCP_PROJECT }}/zebra/zebrad-test
-            -repo=us-docker.pkg.dev/zealous-zebra/zebra/lightwalletd
+            -repo=us-docker.pkg.dev/${{ vars.GCP_PROJECT }}/zebra/lightwalletd
             -grace=${{ env.DELETE_IMAGE_HOURS }}
             -keep=${{ env.KEEP_LATEST_IMAGE_COUNT }}

.github/workflows/deploy-gcp-tests.yml

@@ -87,12 +87,6 @@ on:
         description: 'Application name, used to work out when a job is an update job'
 
 env:
-  # where we get the Docker image from
-  IMAGE_NAME: zebrad-test
-  GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
-  # what kind of Google Cloud instance we want to launch
-  ZONE: us-central1-f
-  MACHINE_TYPE: c2d-standard-16
   # How many previous log lines we show at the start of each new log job.
   # Increase this number if some log lines are skipped between jobs
   #
@@ -153,8 +147,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -170,13 +164,13 @@ jobs:
           --image-family=cos-stable \
           --create-disk=name="${{ inputs.test_id }}-${{ env.GITHUB_SHA_SHORT }}",device-name="${{ inputs.test_id }}-${{ env.GITHUB_SHA_SHORT }}",size=300GB,type=pd-ssd \
           --container-image=gcr.io/google-containers/busybox \
-          --machine-type ${{ env.MACHINE_TYPE }} \
+          --machine-type ${{ vars.GCP_LARGE_MACHINE }} \
           --scopes cloud-platform \
           --metadata=google-monitoring-enabled=TRUE,google-logging-enabled=TRUE \
           --metadata-from-file=startup-script=.github/workflows/scripts/gcp-vm-startup-script.sh \
           --labels=app=${{ inputs.app_name }},environment=test,network=${NETWORK},github_ref=${{ env.GITHUB_REF_SLUG_URL }},test=${{ inputs.test_id }} \
           --tags ${{ inputs.app_name }} \
-          --zone ${{ env.ZONE }}
+          --zone ${{ vars.GCP_ZONE }}
           sleep 60
 
       # Create a docker volume with the new disk we just created.
@@ -185,7 +179,7 @@ jobs:
       - name: Create ${{ inputs.test_id }} Docker volume
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -235,8 +229,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -245,7 +239,7 @@ jobs:
       - name: Launch ${{ inputs.test_id }} test
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -257,7 +251,7 @@ jobs:
           --detach \
           ${{ inputs.test_variables }} \
           --mount type=volume,src=${{ inputs.test_id }}-${{ env.GITHUB_SHA_SHORT }},dst=${{ inputs.root_state_path }}/${{ inputs.zebra_state_dir }} \
-          ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} \
+          ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} \
           "
 
 
@@ -305,8 +299,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -411,13 +405,13 @@ jobs:
           --image-family=cos-stable \
           --create-disk=image=${{ env.CACHED_DISK_NAME }},name="${{ inputs.test_id }}-${{ env.GITHUB_SHA_SHORT }}",device-name="${{ inputs.test_id }}-${{ env.GITHUB_SHA_SHORT }}",size=300GB,type=pd-ssd \
           --container-image=gcr.io/google-containers/busybox \
-          --machine-type ${{ env.MACHINE_TYPE }} \
+          --machine-type ${{ vars.GCP_LARGE_MACHINE }} \
           --scopes cloud-platform \
           --metadata=google-monitoring-enabled=TRUE,google-logging-enabled=TRUE \
           --metadata-from-file=startup-script=.github/workflows/scripts/gcp-vm-startup-script.sh \
           --labels=app=${{ inputs.app_name }},environment=test,network=${NETWORK},github_ref=${{ env.GITHUB_REF_SLUG_URL }},test=${{ inputs.test_id }} \
           --tags ${{ inputs.app_name }} \
-          --zone ${{ env.ZONE }}
+          --zone ${{ vars.GCP_ZONE }}
           sleep 60
 
       # Create a docker volume with the selected cached state.
@@ -428,7 +422,7 @@ jobs:
       - name: Create ${{ inputs.test_id }} Docker volume
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -476,8 +470,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -506,7 +500,7 @@ jobs:
         if: ${{ (inputs.needs_zebra_state && !inputs.needs_lwd_state) && inputs.test_id != 'lwd-full-sync' }}
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -518,7 +512,7 @@ jobs:
           --detach \
           ${{ inputs.test_variables }} \
           --mount type=volume,src=${{ inputs.test_id }}-${{ env.GITHUB_SHA_SHORT }},dst=${{ inputs.root_state_path }}/${{ inputs.zebra_state_dir }} \
-          ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} \
+          ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} \
           "
 
       # Launch the test with the previously created Lightwalletd and Zebra cached state.
@@ -554,7 +548,7 @@ jobs:
         if: ${{ (inputs.needs_zebra_state && inputs.needs_lwd_state) || inputs.test_id == 'lwd-full-sync' }}
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -567,7 +561,7 @@ jobs:
           ${{ inputs.test_variables }} \
           --mount type=volume,src=${{ inputs.test_id }}-${{ env.GITHUB_SHA_SHORT }},dst=${{ inputs.root_state_path }}/${{ inputs.zebra_state_dir }} \
           --mount type=volume,src=${{ inputs.test_id }}-${{ env.GITHUB_SHA_SHORT }},dst=${{ inputs.root_state_path }}/${{ inputs.lwd_state_dir }} \
-          ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} \
+          ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}:sha-${{ env.GITHUB_SHA_SHORT }} \
           "
 
 
@@ -612,8 +606,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -659,8 +653,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -676,7 +670,7 @@ jobs:
       - name: Show logs for ${{ inputs.test_id }} test (heartwood)
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -731,8 +725,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -741,7 +735,7 @@ jobs:
       - name: Show logs for ${{ inputs.test_id }} test (canopy)
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -798,8 +792,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -808,7 +802,7 @@ jobs:
       - name: Show logs for ${{ inputs.test_id }} test (1740k)
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -867,8 +861,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -877,7 +871,7 @@ jobs:
       - name: Show logs for ${{ inputs.test_id }} test (1760k)
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -936,8 +930,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -946,7 +940,7 @@ jobs:
       - name: Show logs for ${{ inputs.test_id }} test (1780k)
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -1006,8 +1000,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -1016,7 +1010,7 @@ jobs:
       - name: Show logs for ${{ inputs.test_id }} test (1800k)
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -1075,8 +1069,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -1085,7 +1079,7 @@ jobs:
       - name: Show logs for ${{ inputs.test_id }} test (1820k)
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -1144,8 +1138,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -1154,7 +1148,7 @@ jobs:
       - name: Show logs for ${{ inputs.test_id }} test (1850k)
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -1213,8 +1207,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -1223,7 +1217,7 @@ jobs:
       - name: Show logs for ${{ inputs.test_id }} test (1880k)
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -1282,8 +1276,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -1292,7 +1286,7 @@ jobs:
       - name: Show logs for ${{ inputs.test_id }} test (1920k)
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -1350,8 +1344,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -1360,7 +1354,7 @@ jobs:
       - name: Show logs for ${{ inputs.test_id }} test (1920k)
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -1416,8 +1410,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -1428,7 +1422,7 @@ jobs:
       - name: Show logs for ${{ inputs.test_id }} test (checkpoint)
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -1491,8 +1485,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -1510,7 +1504,7 @@ jobs:
       - name: Result of ${{ inputs.test_id }} test
         run: |
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -1589,8 +1583,8 @@ jobs:
         id: auth
         uses: google-github-actions/auth@v1.0.0
         with:
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -1645,7 +1639,7 @@ jobs:
 
           DOCKER_LOGS=$( \
           gcloud compute ssh ${{ inputs.test_id }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }} \
-          --zone ${{ env.ZONE }} \
+          --zone ${{ vars.GCP_ZONE }} \
           --ssh-flag="-o ServerAliveInterval=5" \
           --ssh-flag="-o ConnectionAttempts=20" \
           --ssh-flag="-o ConnectTimeout=5" \
@@ -1725,13 +1719,13 @@ jobs:
           MINIMUM_UPDATE_HEIGHT=$((ORIGINAL_HEIGHT+CACHED_STATE_UPDATE_LIMIT))
           if [[ -z "$UPDATE_SUFFIX" ]] || [[ "$SYNC_HEIGHT" -gt "$MINIMUM_UPDATE_HEIGHT" ]]; then
              gcloud compute images create \
-              "${{ inputs.disk_prefix }}-${SHORT_GITHUB_REF}-${{ env.GITHUB_SHA_SHORT }}-v${{ env.STATE_VERSION }}-${{ env.NETWORK }}-${{ inputs.disk_suffix }}${UPDATE_SUFFIX}-${TIME_SUFFIX}" \
+              "${{ inputs.disk_prefix }}-${SHORT_GITHUB_REF}-${{ env.GITHUB_SHA_SHORT }}-v${{ env.STATE_VERSION }}-${NETWORK}-${{ inputs.disk_suffix }}${UPDATE_SUFFIX}-${TIME_SUFFIX}" \
               --force \
               --source-disk=${{ inputs.test_id }}-${{ env.GITHUB_SHA_SHORT }} \
-              --source-disk-zone=${{ env.ZONE }} \
+              --source-disk-zone=${{ vars.GCP_ZONE }} \
               --storage-location=us \
               --description="Created from commit ${{ env.GITHUB_SHA_SHORT }} with height ${{ env.SYNC_HEIGHT }}" \
-              --labels="height=${{ env.SYNC_HEIGHT }},purpose=${{ inputs.disk_prefix }},commit=${{ env.GITHUB_SHA_SHORT }},state-version=${{ env.STATE_VERSION }},network=${{ env.NETWORK }},target-height-kind=${{ inputs.disk_suffix }},update-flag=${UPDATE_SUFFIX},updated-from-height=${ORIGINAL_HEIGHT},test-id=${{ inputs.test_id }},app-name=${{ inputs.app_name }}"
+              --labels="height=${{ env.SYNC_HEIGHT }},purpose=${{ inputs.disk_prefix }},commit=${{ env.GITHUB_SHA_SHORT }},state-version=${{ env.STATE_VERSION }},network=${NETWORK},target-height-kind=${{ inputs.disk_suffix }},update-flag=${UPDATE_SUFFIX},updated-from-height=${ORIGINAL_HEIGHT},test-id=${{ inputs.test_id }},app-name=${{ inputs.app_name }}"
           else
               echo "Skipped cached state update because the new sync height $SYNC_HEIGHT was less than $CACHED_STATE_UPDATE_LIMIT blocks above the original height $ORIGINAL_HEIGHT"
           fi
@@ -1764,8 +1758,8 @@ jobs:
         id: auth
         uses: google-github-actions/auth@v1.0.0
         with:
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -1779,5 +1773,5 @@ jobs:
           if [ -z "${INSTANCE}" ]; then
             echo "No instance to delete"
           else
-            gcloud compute instances delete "${INSTANCE}" --zone "${{ env.ZONE }}" --delete-disks all --quiet
+            gcloud compute instances delete "${INSTANCE}" --zone "${{ vars.GCP_ZONE }}" --delete-disks all --quiet
           fi

.github/workflows/docs.yml

@@ -28,10 +28,10 @@ on:
       - '.github/workflows/docs.yml'
 
 env:
-  RUST_LOG: info
+  RUST_LOG: ${{ vars.RUST_LOG }}
-  RUST_BACKTRACE: full
+  RUST_BACKTRACE: ${{ vars.RUST_BACKTRACE }}
-  RUST_LIB_BACKTRACE: full
+  RUST_LIB_BACKTRACE: ${{ vars.RUST_LIB_BACKTRACE }}
-  COLORBT_SHOW_HIDDEN: '1'
+  COLORBT_SHOW_HIDDEN: ${{ vars.COLORBT_SHOW_HIDDEN }}
 
 jobs:
   build:

.github/workflows/lint.yml

@@ -16,11 +16,11 @@ on:
   pull_request:
 
 env:
-  CARGO_INCREMENTAL: 0
+  CARGO_INCREMENTAL: ${{ vars.CARGO_INCREMENTAL }}
-  RUST_LOG: info
+  RUST_LOG: ${{ vars.RUST_LOG }}
-  RUST_BACKTRACE: full
+  RUST_BACKTRACE: ${{ vars.RUST_BACKTRACE }}
-  RUST_LIB_BACKTRACE: full
+  RUST_LIB_BACKTRACE: ${{ vars.RUST_LIB_BACKTRACE }}
-  COLORBT_SHOW_HIDDEN: '1'
+  COLORBT_SHOW_HIDDEN: ${{ vars.COLORBT_SHOW_HIDDEN }}
 
 jobs:
   changed-files:

.github/workflows/zcash-lightwalletd.yml

@@ -43,7 +43,6 @@ on:
       - '.github/workflows/zcash-lightwalletd.yml'
 
 env:
-  GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
   IMAGE_NAME: lightwalletd
 
 jobs:
@@ -78,7 +77,7 @@ jobs:
         with:
           # list of Docker images to use as base name for tags
           images: |
-            ${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}
+            ${{ vars.GAR_BASE }}/${{ env.IMAGE_NAME }}
           # generate Docker tags based on the following events/attributes
           # set latest tag for default branch
           tags: |
@@ -115,8 +114,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_ARTIFACTS_SA }}'
           token_format: 'access_token'
 
       - name: Set up Cloud SDK
@@ -143,5 +142,5 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           push: true
-          cache-from: type=registry,ref=${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:buildcache
+          cache-from: type=registry,ref=${{ vars.GAR_BASE }}/${{ env.IMAGE_NAME }}:buildcache
-          cache-to: type=registry,ref=${{ env.GAR_BASE }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
+          cache-to: type=registry,ref=${{ vars.GAR_BASE }}/${{ env.IMAGE_NAME }}:buildcache,mode=max

.github/workflows/zcashd-manual-deploy.yml

@@ -12,12 +12,6 @@ on:
         description: 'GCP Managed Instance Group size'
         required: true
 
-env:
-  PROJECT_ID: zealous-zebra
-  REGION: us-central1
-  ZONE: us-central1-a
-  MACHINE_TYPE: c2-standard-4
-
 jobs:
   deploy:
     name: Deploy zcashd nodes
@@ -54,8 +48,8 @@ jobs:
         uses: google-github-actions/auth@v1.0.0
         with:
           retries: '3'
-          workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
-          service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
+          service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@v1.1.0
@@ -72,7 +66,7 @@ jobs:
           --container-tty \
           --container-image electriccoinco/zcashd \
           --container-env ZCASHD_NETWORK="${{ inputs.network }}" \
-          --machine-type ${{ env.MACHINE_TYPE }} \
+          --machine-type ${{ vars.GCP_SMALL_MACHINE }} \
           --service-account ${{ env.DEPLOY_SA }} \
           --scopes cloud-platform \
           --labels=app=zcashd,environment=prod,network=${NETWORK},github_ref=${{ env.GITHUB_REF_SLUG_URL }} \
@@ -83,7 +77,7 @@ jobs:
         id: does-group-exist
         continue-on-error: true
         run: |
-          gcloud compute instance-groups list | grep "zcashd-${{ env.GITHUB_REF_SLUG_URL }}-${{ inputs.network }}" | grep "${{ env.REGION }}"
+          gcloud compute instance-groups list | grep "zcashd-${{ env.GITHUB_REF_SLUG_URL }}-${{ inputs.network }}" | grep "${{ vars.GCP_REGION }}"
 
       # Deploy new managed instance group using the new instance template
       - name: Create managed instance group
@@ -92,7 +86,7 @@ jobs:
           gcloud compute instance-groups managed create \
           "zcashd-${{ env.GITHUB_REF_SLUG_URL }}-${{ inputs.network }}" \
           --template "zcashd-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }}" \
-          --region "${{ env.REGION }}" \
+          --region "${{ vars.GCP_REGION }}" \
           --size "${{ github.event.inputs.size }}"
 
       # Rolls out update to existing group using the new instance template
@@ -102,4 +96,4 @@ jobs:
           gcloud compute instance-groups managed rolling-action start-update \
           "zcashd-${{ env.GITHUB_REF_SLUG_URL }}-${{ inputs.network }}" \
           --version template="zcashd-${{ env.GITHUB_REF_SLUG_URL }}-${{ env.GITHUB_SHA_SHORT }}" \
-          --region "${{ env.REGION }}"
+          --region "${{ vars.GCP_REGION }}"