zecfoundation
/
zebra
mirror of https://github.com/ZcashFoundation/zebra.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

refactor(ci): use improved OIDC for gcloud authentication (#3885) 

* refactor(ci): use improved OIDC authentication

* fix(ci): standardize OIDC on all required jobs

* fix: wrong indentation

* fix(ci): remove non existing depency in clean job
This commit is contained in:
Gustavo Valverde 2022-03-18 17:25:35 -04:00 committed by GitHub
parent b4deca2912
commit e1eb916b6d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 134 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
.github/workflows/cd.yml vendored
View File

@ -14,9 +14,9 @@ on:
env: env:
CARGO_INCREMENTAL: '1' CARGO_INCREMENTAL: '1'
NETWORK: Mainnet NETWORK: Mainnet
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} PROJECT_ID: zealous-zebra
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }} GCR_BASE: gcr.io/zealous-zebra
REGION: us-central1 REGION: us-central1
ZONE: us-central1-a ZONE: us-central1-a
MACHINE_TYPE: c2-standard-4 MACHINE_TYPE: c2-standard-4
@ -27,6 +27,9 @@ jobs:
# TODO: remove timeout until we have an average build time # TODO: remove timeout until we have an average build time
# timeout-minutes: 180 # timeout-minutes: 180
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps: steps:
- uses: actions/checkout@v3.0.0 - uses: actions/checkout@v3.0.0
@ -60,7 +63,9 @@ jobs:
id: auth id: auth
uses: google-github-actions/auth@v0.6.0 uses: google-github-actions/auth@v0.6.0
with: with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }} workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Set up QEMU - name: Set up QEMU
id: qemu id: qemu
@ -78,15 +83,15 @@ jobs:
uses: docker/login-action@v1.14.1 uses: docker/login-action@v1.14.1
with: with:
registry: us-docker.pkg.dev registry: us-docker.pkg.dev
username: _json_key username: oauth2accesstoken
password: ${{ secrets.GOOGLE_CREDENTIALS }} password: ${{ steps.auth.outputs.access_token }}
- name: Login to Google Container Registry - name: Login to Google Container Registry
uses: docker/login-action@v1.14.1 uses: docker/login-action@v1.14.1
with: with:
registry: gcr.io registry: gcr.io
username: _json_key username: oauth2accesstoken
password: ${{ secrets.GOOGLE_CREDENTIALS }} password: ${{ steps.auth.outputs.access_token }}
# Build and push image to Google Artifact Registry # Build and push image to Google Artifact Registry
- name: Build & push - name: Build & push
@ -118,6 +123,9 @@ jobs:
needs: build needs: build
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 30 timeout-minutes: 30
permissions:
contents: 'read'
id-token: 'write'
if: ${{ github.event_name == 'push' && github.ref_name == 'main' }} if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
steps: steps:
@ -133,12 +141,9 @@ jobs:
id: auth id: auth
uses: google-github-actions/auth@v0.6.0 uses: google-github-actions/auth@v0.6.0
with: with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }} workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
- name: Set up gcloud SDK environment token_format: 'access_token'
uses: google-github-actions/setup-gcloud@v0.6.0
with:
project_id: ${{ env.PROJECT_ID }}
- name: Create instance template - name: Create instance template
run: | run: |
@ -184,6 +189,9 @@ jobs:
needs: build needs: build
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 30 timeout-minutes: 30
permissions:
contents: 'read'
id-token: 'write'
if: github.event_name == 'workflow_dispatch' if: github.event_name == 'workflow_dispatch'
steps: steps:
@ -199,12 +207,9 @@ jobs:
id: auth id: auth
uses: google-github-actions/auth@v0.6.0 uses: google-github-actions/auth@v0.6.0
with: with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }} workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
- name: Set up gcloud SDK environment token_format: 'access_token'
uses: google-github-actions/setup-gcloud@v0.6.0
with:
project_id: ${{ env.PROJECT_ID }}
# Create instance template from container image # Create instance template from container image
- name: Manual deploy of a single instance running zebrad - name: Manual deploy of a single instance running zebrad

12
.github/workflows/clean.yml vendored
View File

@ -9,7 +9,7 @@ on:
env: env:
NETWORK: Mainnet NETWORK: Mainnet
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} PROJECT_ID: zealous-zebra
REGION: us-central1 REGION: us-central1
ZONE: us-central1-a ZONE: us-central1-a
@ -17,7 +17,9 @@ jobs:
delete: delete:
name: Delete test deployments name: Delete test deployments
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [ build ] permissions:
contents: 'read'
id-token: 'write'
steps: steps:
- uses: actions/checkout@v2.4.0 - uses: actions/checkout@v2.4.0
with: with:
@ -29,9 +31,11 @@ jobs:
# Setup gcloud CLI # Setup gcloud CLI
- name: Authenticate to Google Cloud - name: Authenticate to Google Cloud
id: auth id: auth
uses: google-github-actions/auth@v0.5.0 uses: google-github-actions/auth@v0.6.0
with: with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }} workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Delete test instance - name: Delete test instance
continue-on-error: true continue-on-error: true

34
.github/workflows/test-full-sync.yml vendored
View File

@ -29,9 +29,9 @@ env:
RUST_LIB_BACKTRACE: full RUST_LIB_BACKTRACE: full
COLORBT_SHOW_HIDDEN: '1' COLORBT_SHOW_HIDDEN: '1'
NETWORK: Mainnet NETWORK: Mainnet
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} PROJECT_ID: zealous-zebra
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }} GCR_BASE: gcr.io/zealous-zebra
REGION: us-central1 REGION: us-central1
ZONE: us-central1-a ZONE: us-central1-a
MACHINE_TYPE: c2d-standard-16 MACHINE_TYPE: c2d-standard-16
@ -45,6 +45,9 @@ jobs:
name: Build images name: Build images
timeout-minutes: 210 timeout-minutes: 210
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps: steps:
- uses: actions/checkout@v3.0.0 - uses: actions/checkout@v3.0.0
with: with:
@ -77,19 +80,27 @@ jobs:
id: buildx id: buildx
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@v1
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Login to Google Artifact Registry - name: Login to Google Artifact Registry
uses: docker/login-action@v1.14.1 uses: docker/login-action@v1.14.1
with: with:
registry: us-docker.pkg.dev registry: us-docker.pkg.dev
username: _json_key username: oauth2accesstoken
password: ${{ secrets.GOOGLE_CREDENTIALS }} password: ${{ steps.auth.outputs.access_token }}
- name: Login to Google Container Registry - name: Login to Google Container Registry
uses: docker/login-action@v1.14.1 uses: docker/login-action@v1.14.1
with: with:
registry: gcr.io registry: gcr.io
username: _json_key username: oauth2accesstoken
password: ${{ secrets.GOOGLE_CREDENTIALS }} password: ${{ steps.auth.outputs.access_token }}
# Build and push image to Google Artifact Registry # Build and push image to Google Artifact Registry
- name: Build & push - name: Build & push
@ -120,6 +131,9 @@ jobs:
name: Test full Mainnet sync name: Test full Mainnet sync
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [ build ] needs: [ build ]
permissions:
contents: 'read'
id-token: 'write'
steps: steps:
- uses: actions/checkout@v3.0.0 - uses: actions/checkout@v3.0.0
with: with:
@ -131,9 +145,11 @@ jobs:
# Setup gcloud CLI # Setup gcloud CLI
- name: Authenticate to Google Cloud - name: Authenticate to Google Cloud
id: auth id: auth
uses: google-github-actions/auth@v0.5.0 uses: google-github-actions/auth@v0.6.0
with: with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }} workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
# Check if our destination compute instance exists and delete it # Check if our destination compute instance exists and delete it
- name: Delete existing instance with same SHA - name: Delete existing instance with same SHA

43
.github/workflows/test.yml vendored
View File

@ -33,9 +33,9 @@ env:
RUST_LIB_BACKTRACE: full RUST_LIB_BACKTRACE: full
COLORBT_SHOW_HIDDEN: '1' COLORBT_SHOW_HIDDEN: '1'
NETWORK: Mainnet NETWORK: Mainnet
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} PROJECT_ID: zealous-zebra
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }} GCR_BASE: gcr.io/zealous-zebra
REGION: us-central1 REGION: us-central1
ZONE: us-central1-a ZONE: us-central1-a
MACHINE_TYPE: c2d-standard-4 MACHINE_TYPE: c2d-standard-4
@ -46,6 +46,9 @@ jobs:
name: Build images name: Build images
timeout-minutes: 210 timeout-minutes: 210
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps: steps:
- uses: actions/checkout@v3.0.0 - uses: actions/checkout@v3.0.0
with: with:
@ -78,19 +81,27 @@ jobs:
id: buildx id: buildx
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@v1
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Login to Google Artifact Registry - name: Login to Google Artifact Registry
uses: docker/login-action@v1.14.1 uses: docker/login-action@v1.14.1
with: with:
registry: us-docker.pkg.dev registry: us-docker.pkg.dev
username: _json_key username: oauth2accesstoken
password: ${{ secrets.GOOGLE_CREDENTIALS }} password: ${{ steps.auth.outputs.access_token }}
- name: Login to Google Container Registry - name: Login to Google Container Registry
uses: docker/login-action@v1.14.1 uses: docker/login-action@v1.14.1
with: with:
registry: gcr.io registry: gcr.io
username: _json_key username: oauth2accesstoken
password: ${{ secrets.GOOGLE_CREDENTIALS }} password: ${{ steps.auth.outputs.access_token }}
# Build and push image to Google Artifact Registry # Build and push image to Google Artifact Registry
- name: Build & push - name: Build & push
@ -205,6 +216,9 @@ jobs:
needs: build needs: build
outputs: outputs:
any_changed: ${{ steps.changed-files-specific.outputs.any_changed }} any_changed: ${{ steps.changed-files-specific.outputs.any_changed }}
permissions:
contents: 'read'
id-token: 'write'
steps: steps:
- uses: actions/checkout@v3.0.0 - uses: actions/checkout@v3.0.0
with: with:
@ -242,9 +256,11 @@ jobs:
# Setup gcloud CLI # Setup gcloud CLI
- name: Authenticate to Google Cloud - name: Authenticate to Google Cloud
id: auth id: auth
uses: google-github-actions/auth@v0.5.0 uses: google-github-actions/auth@v0.6.0
with: with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }} workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
# Check if our destination compute instance exists and delete it # Check if our destination compute instance exists and delete it
- name: Delete existing instance with same SHA - name: Delete existing instance with same SHA
@ -344,6 +360,9 @@ jobs:
name: Test full validation sync from cached state name: Test full validation sync from cached state
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [ build, regenerate-stateful-disks] needs: [ build, regenerate-stateful-disks]
permissions:
contents: 'read'
id-token: 'write'
steps: steps:
- uses: actions/checkout@v3.0.0 - uses: actions/checkout@v3.0.0
with: with:
@ -359,9 +378,11 @@ jobs:
# Setup gcloud CLI # Setup gcloud CLI
- name: Authenticate to Google Cloud - name: Authenticate to Google Cloud
id: auth id: auth
uses: google-github-actions/auth@v0.5.0 uses: google-github-actions/auth@v0.6.0
with: with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }} workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
# Check if our destination compute instance exists and delete it # Check if our destination compute instance exists and delete it
- name: Delete existing instance with same SHA - name: Delete existing instance with same SHA

29
.github/workflows/zcash-lightwalletd.yml vendored
View File

@ -21,15 +21,18 @@ on:
- '.github/workflows/zcash-lightwalletd.yml' - '.github/workflows/zcash-lightwalletd.yml'
env: env:
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} PROJECT_ID: zealous-zebra
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }} GCR_BASE: gcr.io/zealous-zebra
IMAGE_NAME: lightwalletd IMAGE_NAME: lightwalletd
jobs: jobs:
build: build:
name: Build images name: Build images
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps: steps:
- uses: actions/checkout@v3.0.0 - uses: actions/checkout@v3.0.0
@ -64,13 +67,6 @@ jobs:
type=semver,pattern={{major}} type=semver,pattern={{major}}
type=sha type=sha
# Setup gcloud CLI
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
- name: Set up QEMU - name: Set up QEMU
id: qemu id: qemu
uses: docker/setup-qemu-action@v1 uses: docker/setup-qemu-action@v1
@ -83,12 +79,21 @@ jobs:
id: buildx id: buildx
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@v1
# Setup gcloud CLI
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Login to Google Artifact Registry - name: Login to Google Artifact Registry
uses: docker/login-action@v1.14.1 uses: docker/login-action@v1.14.1
with: with:
registry: us-docker.pkg.dev registry: us-docker.pkg.dev
username: _json_key username: oauth2accesstoken
password: ${{ secrets.GOOGLE_CREDENTIALS }} password: ${{ steps.auth.outputs.access_token }}
# Build and push image to Google Artifact Registry # Build and push image to Google Artifact Registry
- name: Build & push - name: Build & push

29
.github/workflows/zcash-params.yml vendored
View File

@ -16,9 +16,9 @@ on:
env: env:
CARGO_INCREMENTAL: '1' CARGO_INCREMENTAL: '1'
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} PROJECT_ID: zealous-zebra
GAR_BASE: us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/zebra GAR_BASE: us-docker.pkg.dev/zealous-zebra/zebra
GCR_BASE: gcr.io/${{ secrets.GCP_PROJECT_ID }} GCR_BASE: gcr.io/zealous-zebra
IMAGE_NAME: zcash-params IMAGE_NAME: zcash-params
jobs: jobs:
@ -27,6 +27,9 @@ jobs:
# TODO: remove timeout until we have an average build time # TODO: remove timeout until we have an average build time
# timeout-minutes: 180 # timeout-minutes: 180
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps: steps:
- uses: actions/checkout@v3.0.0 - uses: actions/checkout@v3.0.0
@ -54,13 +57,6 @@ jobs:
type=semver,pattern={{major}} type=semver,pattern={{major}}
type=sha type=sha
# Setup gcloud CLI
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
- name: Set up QEMU - name: Set up QEMU
id: qemu id: qemu
uses: docker/setup-qemu-action@v1 uses: docker/setup-qemu-action@v1
@ -73,12 +69,21 @@ jobs:
id: buildx id: buildx
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@v1
# Setup gcloud CLI
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0.6.0
with:
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
- name: Login to Google Artifact Registry - name: Login to Google Artifact Registry
uses: docker/login-action@v1.14.1 uses: docker/login-action@v1.14.1
with: with:
registry: us-docker.pkg.dev registry: us-docker.pkg.dev
username: _json_key username: oauth2accesstoken
password: ${{ secrets.GOOGLE_CREDENTIALS }} password: ${{ steps.auth.outputs.access_token }}
# Build and push image to Google Artifact Registry # Build and push image to Google Artifact Registry
- name: Build & push - name: Build & push

15
.github/workflows/zcashd-manual-deploy.yml vendored
View File

@ -9,7 +9,7 @@ on:
default: 10 default: 10
env: env:
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} PROJECT_ID: zealous-zebra
REGION: us-central1 REGION: us-central1
ZONE: us-central1-a ZONE: us-central1-a
MACHINE_TYPE: c2-standard-4 MACHINE_TYPE: c2-standard-4
@ -19,6 +19,9 @@ jobs:
name: Deploy zcashd nodes name: Deploy zcashd nodes
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 30 timeout-minutes: 30
permissions:
contents: 'read'
id-token: 'write'
steps: steps:
- uses: actions/checkout@v3.0.0 - uses: actions/checkout@v3.0.0
@ -29,11 +32,13 @@ jobs:
uses: rlespinasse/github-slug-action@v4 uses: rlespinasse/github-slug-action@v4
# Setup gcloud CLI # Setup gcloud CLI
- name: Set up gcloud SDK environment - name: Authenticate to Google Cloud
uses: google-github-actions/setup-gcloud@v0.6.0 id: auth
uses: google-github-actions/auth@v0.6.0
with: with:
project_id: ${{ env.PROJECT_ID }} workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
service_account_key: ${{ secrets.GCLOUD_AUTH }} service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
token_format: 'access_token'
# Create instance template from container image # Create instance template from container image
- name: Create instance template - name: Create instance template