refactor(ci): use improved OIDC for gcloud authentication (#3885)
* refactor(ci): use improved OIDC authentication * fix(ci): standardize OIDC on all required jobs * fix: wrong indentation * fix(ci): remove non existing depency in clean job
This commit is contained in:
parent
b4deca2912
commit
e1eb916b6d
|
@ -14,9 +14,9 @@ on:
|
|||
env:
|
||||
CARGO_INCREMENTAL: '1'
|
||||
NETWORK: Mainnet
|
||||
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
|
||||
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra
|
||||
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }}
|
||||
PROJECT_ID: zealous-zebra
|
||||
GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
|
||||
GCR_BASE: gcr.io/zealous-zebra
|
||||
REGION: us-central1
|
||||
ZONE: us-central1-a
|
||||
MACHINE_TYPE: c2-standard-4
|
||||
|
@ -27,6 +27,9 @@ jobs:
|
|||
# TODO: remove timeout until we have an average build time
|
||||
# timeout-minutes: 180
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3.0.0
|
||||
|
@ -60,7 +63,9 @@ jobs:
|
|||
id: auth
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
||||
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
||||
token_format: 'access_token'
|
||||
|
||||
- name: Set up QEMU
|
||||
id: qemu
|
||||
|
@ -78,15 +83,15 @@ jobs:
|
|||
uses: docker/login-action@v1.14.1
|
||||
with:
|
||||
registry: us-docker.pkg.dev
|
||||
username: _json_key
|
||||
password: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
username: oauth2accesstoken
|
||||
password: ${{ steps.auth.outputs.access_token }}
|
||||
|
||||
- name: Login to Google Container Registry
|
||||
uses: docker/login-action@v1.14.1
|
||||
with:
|
||||
registry: gcr.io
|
||||
username: _json_key
|
||||
password: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
username: oauth2accesstoken
|
||||
password: ${{ steps.auth.outputs.access_token }}
|
||||
|
||||
# Build and push image to Google Artifact Registry
|
||||
- name: Build & push
|
||||
|
@ -118,6 +123,9 @@ jobs:
|
|||
needs: build
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
|
||||
|
||||
steps:
|
||||
|
@ -133,12 +141,9 @@ jobs:
|
|||
id: auth
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
|
||||
- name: Set up gcloud SDK environment
|
||||
uses: google-github-actions/setup-gcloud@v0.6.0
|
||||
with:
|
||||
project_id: ${{ env.PROJECT_ID }}
|
||||
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
||||
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
||||
token_format: 'access_token'
|
||||
|
||||
- name: Create instance template
|
||||
run: |
|
||||
|
@ -184,6 +189,9 @@ jobs:
|
|||
needs: build
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
if: github.event_name == 'workflow_dispatch'
|
||||
|
||||
steps:
|
||||
|
@ -199,12 +207,9 @@ jobs:
|
|||
id: auth
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
|
||||
- name: Set up gcloud SDK environment
|
||||
uses: google-github-actions/setup-gcloud@v0.6.0
|
||||
with:
|
||||
project_id: ${{ env.PROJECT_ID }}
|
||||
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
||||
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
||||
token_format: 'access_token'
|
||||
|
||||
# Create instance template from container image
|
||||
- name: Manual deploy of a single instance running zebrad
|
||||
|
|
|
@ -9,7 +9,7 @@ on:
|
|||
|
||||
env:
|
||||
NETWORK: Mainnet
|
||||
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
|
||||
PROJECT_ID: zealous-zebra
|
||||
REGION: us-central1
|
||||
ZONE: us-central1-a
|
||||
|
||||
|
@ -17,7 +17,9 @@ jobs:
|
|||
delete:
|
||||
name: Delete test deployments
|
||||
runs-on: ubuntu-latest
|
||||
needs: [ build ]
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
steps:
|
||||
- uses: actions/checkout@v2.4.0
|
||||
with:
|
||||
|
@ -29,9 +31,11 @@ jobs:
|
|||
# Setup gcloud CLI
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v0.5.0
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
||||
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
||||
token_format: 'access_token'
|
||||
|
||||
- name: Delete test instance
|
||||
continue-on-error: true
|
||||
|
|
|
@ -29,9 +29,9 @@ env:
|
|||
RUST_LIB_BACKTRACE: full
|
||||
COLORBT_SHOW_HIDDEN: '1'
|
||||
NETWORK: Mainnet
|
||||
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
|
||||
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra
|
||||
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }}
|
||||
PROJECT_ID: zealous-zebra
|
||||
GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
|
||||
GCR_BASE: gcr.io/zealous-zebra
|
||||
REGION: us-central1
|
||||
ZONE: us-central1-a
|
||||
MACHINE_TYPE: c2d-standard-16
|
||||
|
@ -45,6 +45,9 @@ jobs:
|
|||
name: Build images
|
||||
timeout-minutes: 210
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
steps:
|
||||
- uses: actions/checkout@v3.0.0
|
||||
with:
|
||||
|
@ -77,19 +80,27 @@ jobs:
|
|||
id: buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
||||
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
||||
token_format: 'access_token'
|
||||
|
||||
- name: Login to Google Artifact Registry
|
||||
uses: docker/login-action@v1.14.1
|
||||
with:
|
||||
registry: us-docker.pkg.dev
|
||||
username: _json_key
|
||||
password: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
username: oauth2accesstoken
|
||||
password: ${{ steps.auth.outputs.access_token }}
|
||||
|
||||
- name: Login to Google Container Registry
|
||||
uses: docker/login-action@v1.14.1
|
||||
with:
|
||||
registry: gcr.io
|
||||
username: _json_key
|
||||
password: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
username: oauth2accesstoken
|
||||
password: ${{ steps.auth.outputs.access_token }}
|
||||
|
||||
# Build and push image to Google Artifact Registry
|
||||
- name: Build & push
|
||||
|
@ -120,6 +131,9 @@ jobs:
|
|||
name: Test full Mainnet sync
|
||||
runs-on: ubuntu-latest
|
||||
needs: [ build ]
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
steps:
|
||||
- uses: actions/checkout@v3.0.0
|
||||
with:
|
||||
|
@ -131,9 +145,11 @@ jobs:
|
|||
# Setup gcloud CLI
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v0.5.0
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
||||
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
||||
token_format: 'access_token'
|
||||
|
||||
# Check if our destination compute instance exists and delete it
|
||||
- name: Delete existing instance with same SHA
|
||||
|
|
|
@ -33,9 +33,9 @@ env:
|
|||
RUST_LIB_BACKTRACE: full
|
||||
COLORBT_SHOW_HIDDEN: '1'
|
||||
NETWORK: Mainnet
|
||||
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
|
||||
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra
|
||||
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }}
|
||||
PROJECT_ID: zealous-zebra
|
||||
GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
|
||||
GCR_BASE: gcr.io/zealous-zebra
|
||||
REGION: us-central1
|
||||
ZONE: us-central1-a
|
||||
MACHINE_TYPE: c2d-standard-4
|
||||
|
@ -46,6 +46,9 @@ jobs:
|
|||
name: Build images
|
||||
timeout-minutes: 210
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
steps:
|
||||
- uses: actions/checkout@v3.0.0
|
||||
with:
|
||||
|
@ -78,19 +81,27 @@ jobs:
|
|||
id: buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
||||
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
||||
token_format: 'access_token'
|
||||
|
||||
- name: Login to Google Artifact Registry
|
||||
uses: docker/login-action@v1.14.1
|
||||
with:
|
||||
registry: us-docker.pkg.dev
|
||||
username: _json_key
|
||||
password: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
username: oauth2accesstoken
|
||||
password: ${{ steps.auth.outputs.access_token }}
|
||||
|
||||
- name: Login to Google Container Registry
|
||||
uses: docker/login-action@v1.14.1
|
||||
with:
|
||||
registry: gcr.io
|
||||
username: _json_key
|
||||
password: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
username: oauth2accesstoken
|
||||
password: ${{ steps.auth.outputs.access_token }}
|
||||
|
||||
# Build and push image to Google Artifact Registry
|
||||
- name: Build & push
|
||||
|
@ -205,6 +216,9 @@ jobs:
|
|||
needs: build
|
||||
outputs:
|
||||
any_changed: ${{ steps.changed-files-specific.outputs.any_changed }}
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
steps:
|
||||
- uses: actions/checkout@v3.0.0
|
||||
with:
|
||||
|
@ -242,9 +256,11 @@ jobs:
|
|||
# Setup gcloud CLI
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v0.5.0
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
||||
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
||||
token_format: 'access_token'
|
||||
|
||||
# Check if our destination compute instance exists and delete it
|
||||
- name: Delete existing instance with same SHA
|
||||
|
@ -344,6 +360,9 @@ jobs:
|
|||
name: Test full validation sync from cached state
|
||||
runs-on: ubuntu-latest
|
||||
needs: [ build, regenerate-stateful-disks]
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
steps:
|
||||
- uses: actions/checkout@v3.0.0
|
||||
with:
|
||||
|
@ -359,9 +378,11 @@ jobs:
|
|||
# Setup gcloud CLI
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v0.5.0
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
||||
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
||||
token_format: 'access_token'
|
||||
|
||||
# Check if our destination compute instance exists and delete it
|
||||
- name: Delete existing instance with same SHA
|
||||
|
|
|
@ -21,15 +21,18 @@ on:
|
|||
- '.github/workflows/zcash-lightwalletd.yml'
|
||||
|
||||
env:
|
||||
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
|
||||
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra
|
||||
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }}
|
||||
PROJECT_ID: zealous-zebra
|
||||
GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
|
||||
GCR_BASE: gcr.io/zealous-zebra
|
||||
IMAGE_NAME: lightwalletd
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build images
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3.0.0
|
||||
|
@ -64,13 +67,6 @@ jobs:
|
|||
type=semver,pattern={{major}}
|
||||
type=sha
|
||||
|
||||
# Setup gcloud CLI
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
|
||||
- name: Set up QEMU
|
||||
id: qemu
|
||||
uses: docker/setup-qemu-action@v1
|
||||
|
@ -83,12 +79,21 @@ jobs:
|
|||
id: buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
|
||||
# Setup gcloud CLI
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
||||
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
||||
token_format: 'access_token'
|
||||
|
||||
- name: Login to Google Artifact Registry
|
||||
uses: docker/login-action@v1.14.1
|
||||
with:
|
||||
registry: us-docker.pkg.dev
|
||||
username: _json_key
|
||||
password: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
username: oauth2accesstoken
|
||||
password: ${{ steps.auth.outputs.access_token }}
|
||||
|
||||
# Build and push image to Google Artifact Registry
|
||||
- name: Build & push
|
||||
|
|
|
@ -16,9 +16,9 @@ on:
|
|||
|
||||
env:
|
||||
CARGO_INCREMENTAL: '1'
|
||||
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
|
||||
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra
|
||||
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }}
|
||||
PROJECT_ID: zealous-zebra
|
||||
GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
|
||||
GCR_BASE: gcr.io/zealous-zebra
|
||||
IMAGE_NAME: zcash-params
|
||||
|
||||
jobs:
|
||||
|
@ -27,6 +27,9 @@ jobs:
|
|||
# TODO: remove timeout until we have an average build time
|
||||
# timeout-minutes: 180
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3.0.0
|
||||
|
@ -54,13 +57,6 @@ jobs:
|
|||
type=semver,pattern={{major}}
|
||||
type=sha
|
||||
|
||||
# Setup gcloud CLI
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
|
||||
- name: Set up QEMU
|
||||
id: qemu
|
||||
uses: docker/setup-qemu-action@v1
|
||||
|
@ -73,12 +69,21 @@ jobs:
|
|||
id: buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
|
||||
# Setup gcloud CLI
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
||||
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
||||
token_format: 'access_token'
|
||||
|
||||
- name: Login to Google Artifact Registry
|
||||
uses: docker/login-action@v1.14.1
|
||||
with:
|
||||
registry: us-docker.pkg.dev
|
||||
username: _json_key
|
||||
password: ${{ secrets.GOOGLE_CREDENTIALS }}
|
||||
username: oauth2accesstoken
|
||||
password: ${{ steps.auth.outputs.access_token }}
|
||||
|
||||
# Build and push image to Google Artifact Registry
|
||||
- name: Build & push
|
||||
|
|
|
@ -9,7 +9,7 @@ on:
|
|||
default: 10
|
||||
|
||||
env:
|
||||
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
|
||||
PROJECT_ID: zealous-zebra
|
||||
REGION: us-central1
|
||||
ZONE: us-central1-a
|
||||
MACHINE_TYPE: c2-standard-4
|
||||
|
@ -19,6 +19,9 @@ jobs:
|
|||
name: Deploy zcashd nodes
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3.0.0
|
||||
|
@ -29,11 +32,13 @@ jobs:
|
|||
uses: rlespinasse/github-slug-action@v4
|
||||
|
||||
# Setup gcloud CLI
|
||||
- name: Set up gcloud SDK environment
|
||||
uses: google-github-actions/setup-gcloud@v0.6.0
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v0.6.0
|
||||
with:
|
||||
project_id: ${{ env.PROJECT_ID }}
|
||||
service_account_key: ${{ secrets.GCLOUD_AUTH }}
|
||||
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
||||
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
||||
token_format: 'access_token'
|
||||
|
||||
# Create instance template from container image
|
||||
- name: Create instance template
|
||||
|
|
Loading…
Reference in New Issue