zecfoundation
/
zebra
mirror of https://github.com/ZcashFoundation/zebra.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

refactor(ci): use improved OIDC for gcloud authentication (#3885) 

* refactor(ci): use improved OIDC authentication

* fix(ci): standardize OIDC on all required jobs

* fix: wrong indentation

* fix(ci): remove non existing depency in clean job
This commit is contained in:
Gustavo Valverde 2022-03-18 17:25:35 -04:00 committed by GitHub
parent b4deca2912
commit e1eb916b6d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 134 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
.github/workflows/cd.yml vendored
View File

@ -14,9 +14,9 @@ on:
env:
CARGO_INCREMENTAL: '1'
NETWORK: Mainnet
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }}
PROJECT_ID: zealous-zebra
GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
GCR_BASE: gcr.io/zealous-zebra
REGION: us-central1
ZONE: us-central1-a
MACHINE_TYPE: c2-standard-4
@ -27,6 +27,9 @@ jobs:
# TODO: remove timeout until we have an average build time
# timeout-minutes: 180
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3.0.0
@ -60,7 +63,9 @@ jobs:
id: auth
uses: google-github-actions/auth@v0.6.0
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Set up QEMU
id: qemu
@ -78,15 +83,15 @@ jobs:
uses: docker/login-action@v1.14.1
with:
registry: us-docker.pkg.dev
username: _json_key
password: ${{ secrets.GOOGLE_CREDENTIALS }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Login to Google Container Registry
uses: docker/login-action@v1.14.1
with:
registry: gcr.io
username: _json_key
password: ${{ secrets.GOOGLE_CREDENTIALS }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
# Build and push image to Google Artifact Registry
- name: Build & push
@ -118,6 +123,9 @@ jobs:
needs: build
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: 'read'
id-token: 'write'
if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
steps:
@ -133,12 +141,9 @@ jobs:
id: auth
uses: google-github-actions/auth@v0.6.0
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
- name: Set up gcloud SDK environment
uses: google-github-actions/setup-gcloud@v0.6.0
with:
project_id: ${{ env.PROJECT_ID }}
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Create instance template
run: |
@ -184,6 +189,9 @@ jobs:
needs: build
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: 'read'
id-token: 'write'
if: github.event_name == 'workflow_dispatch'
steps:
@ -199,12 +207,9 @@ jobs:
id: auth
uses: google-github-actions/auth@v0.6.0
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
- name: Set up gcloud SDK environment
uses: google-github-actions/setup-gcloud@v0.6.0
with:
project_id: ${{ env.PROJECT_ID }}
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
# Create instance template from container image
- name: Manual deploy of a single instance running zebrad

12
.github/workflows/clean.yml vendored
View File

@ -9,7 +9,7 @@ on:
env:
NETWORK: Mainnet
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
PROJECT_ID: zealous-zebra
REGION: us-central1
ZONE: us-central1-a
@ -17,7 +17,9 @@ jobs:
delete:
name: Delete test deployments
runs-on: ubuntu-latest
needs: [ build ]
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v2.4.0
with:
@ -29,9 +31,11 @@ jobs:
# Setup gcloud CLI
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.5.0
uses: google-github-actions/auth@v0.6.0
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Delete test instance
continue-on-error: true

34
.github/workflows/test-full-sync.yml vendored
View File

@ -29,9 +29,9 @@ env:
RUST_LIB_BACKTRACE: full
COLORBT_SHOW_HIDDEN: '1'
NETWORK: Mainnet
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }}
PROJECT_ID: zealous-zebra
GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
GCR_BASE: gcr.io/zealous-zebra
REGION: us-central1
ZONE: us-central1-a
MACHINE_TYPE: c2d-standard-16
@ -45,6 +45,9 @@ jobs:
name: Build images
timeout-minutes: 210
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3.0.0
with:
@ -77,19 +80,27 @@ jobs:
id: buildx
uses: docker/setup-buildx-action@v1
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Login to Google Artifact Registry
uses: docker/login-action@v1.14.1
with:
registry: us-docker.pkg.dev
username: _json_key
password: ${{ secrets.GOOGLE_CREDENTIALS }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Login to Google Container Registry
uses: docker/login-action@v1.14.1
with:
registry: gcr.io
username: _json_key
password: ${{ secrets.GOOGLE_CREDENTIALS }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
# Build and push image to Google Artifact Registry
- name: Build & push
@ -120,6 +131,9 @@ jobs:
name: Test full Mainnet sync
runs-on: ubuntu-latest
needs: [ build ]
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3.0.0
with:
@ -131,9 +145,11 @@ jobs:
# Setup gcloud CLI
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.5.0
uses: google-github-actions/auth@v0.6.0
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
# Check if our destination compute instance exists and delete it
- name: Delete existing instance with same SHA

43
.github/workflows/test.yml vendored
View File

@ -33,9 +33,9 @@ env:
RUST_LIB_BACKTRACE: full
COLORBT_SHOW_HIDDEN: '1'
NETWORK: Mainnet
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }}
PROJECT_ID: zealous-zebra
GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
GCR_BASE: gcr.io/zealous-zebra
REGION: us-central1
ZONE: us-central1-a
MACHINE_TYPE: c2d-standard-4
@ -46,6 +46,9 @@ jobs:
name: Build images
timeout-minutes: 210
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3.0.0
with:
@ -78,19 +81,27 @@ jobs:
id: buildx
uses: docker/setup-buildx-action@v1
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Login to Google Artifact Registry
uses: docker/login-action@v1.14.1
with:
registry: us-docker.pkg.dev
username: _json_key
password: ${{ secrets.GOOGLE_CREDENTIALS }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Login to Google Container Registry
uses: docker/login-action@v1.14.1
with:
registry: gcr.io
username: _json_key
password: ${{ secrets.GOOGLE_CREDENTIALS }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
# Build and push image to Google Artifact Registry
- name: Build & push
@ -205,6 +216,9 @@ jobs:
needs: build
outputs:
any_changed: ${{ steps.changed-files-specific.outputs.any_changed }}
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3.0.0
with:
@ -242,9 +256,11 @@ jobs:
# Setup gcloud CLI
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.5.0
uses: google-github-actions/auth@v0.6.0
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
# Check if our destination compute instance exists and delete it
- name: Delete existing instance with same SHA
@ -344,6 +360,9 @@ jobs:
name: Test full validation sync from cached state
runs-on: ubuntu-latest
needs: [ build, regenerate-stateful-disks]
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3.0.0
with:
@ -359,9 +378,11 @@ jobs:
# Setup gcloud CLI
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.5.0
uses: google-github-actions/auth@v0.6.0
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
# Check if our destination compute instance exists and delete it
- name: Delete existing instance with same SHA

29
.github/workflows/zcash-lightwalletd.yml vendored
View File

@ -21,15 +21,18 @@ on:
- '.github/workflows/zcash-lightwalletd.yml'
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }}
PROJECT_ID: zealous-zebra
GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
GCR_BASE: gcr.io/zealous-zebra
IMAGE_NAME: lightwalletd
jobs:
build:
name: Build images
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3.0.0
@ -64,13 +67,6 @@ jobs:
type=semver,pattern={{major}}
type=sha
# Setup gcloud CLI
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
- name: Set up QEMU
id: qemu
uses: docker/setup-qemu-action@v1
@ -83,12 +79,21 @@ jobs:
id: buildx
uses: docker/setup-buildx-action@v1
# Setup gcloud CLI
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Login to Google Artifact Registry
uses: docker/login-action@v1.14.1
with:
registry: us-docker.pkg.dev
username: _json_key
password: ${{ secrets.GOOGLE_CREDENTIALS }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
# Build and push image to Google Artifact Registry
- name: Build & push

29
.github/workflows/zcash-params.yml vendored
View File

@ -16,9 +16,9 @@ on:
env:
CARGO_INCREMENTAL: '1'
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }}
PROJECT_ID: zealous-zebra
GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
GCR_BASE: gcr.io/zealous-zebra
IMAGE_NAME: zcash-params
jobs:
@ -27,6 +27,9 @@ jobs:
# TODO: remove timeout until we have an average build time
# timeout-minutes: 180
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3.0.0
@ -54,13 +57,6 @@ jobs:
type=semver,pattern={{major}}
type=sha
# Setup gcloud CLI
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
- name: Set up QEMU
id: qemu
uses: docker/setup-qemu-action@v1
@ -73,12 +69,21 @@ jobs:
id: buildx
uses: docker/setup-buildx-action@v1
# Setup gcloud CLI
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Login to Google Artifact Registry
uses: docker/login-action@v1.14.1
with:
registry: us-docker.pkg.dev
username: _json_key
password: ${{ secrets.GOOGLE_CREDENTIALS }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
# Build and push image to Google Artifact Registry
- name: Build & push

15
.github/workflows/zcashd-manual-deploy.yml vendored
View File

@ -9,7 +9,7 @@ on:
default: 10
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
PROJECT_ID: zealous-zebra
REGION: us-central1
ZONE: us-central1-a
MACHINE_TYPE: c2-standard-4
@ -19,6 +19,9 @@ jobs:
name: Deploy zcashd nodes
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3.0.0
@ -29,11 +32,13 @@ jobs:
uses: rlespinasse/github-slug-action@v4
# Setup gcloud CLI
- name: Set up gcloud SDK environment
uses: google-github-actions/setup-gcloud@v0.6.0
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
project_id: ${{ env.PROJECT_ID }}
service_account_key: ${{ secrets.GCLOUD_AUTH }}
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
# Create instance template from container image
- name: Create instance template