-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add ID token auth for invoking cloud run service (#707)
* liquibase manual deploy workflow * fixed lint * added cloud run files * fixed credentials typing * added exception * added cloud run config * fixed the image and updated commands * moved liquibase to Dockerfile * added workflow to trigger the schema update * added region param to workflow gcloud calls * added temp dir and cleaned code * amended job name on workflow * added job permissions for google auth * added gcs for cloud build logs * added branch check to restrict to main and dev * added branch check to restrict to main and dev * fixed logical operator for branch check * bumped actions versions and added ID token auth * refactor step ids * reverted to print-identity-token with audiences param
- Loading branch information
Showing
2 changed files
with
25 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,7 +14,14 @@ jobs: | |
| if: github.ref == 'refs/heads/main' | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - id: "branch-check" | ||
| name: Fail if branch is not main or dev | ||
| if: github.event_name == 'workflow_dispatch' && (github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev') | ||
| run: | | ||
| echo "This workflow should not be triggered with workflow_dispatch on a branch other than main or dev" | ||
| exit 1 | ||
| - id: "branch-check" | ||
| name: Fail if branch is not main or dev | ||
|
|
@@ -25,14 +32,14 @@ jobs: | |
| - id: "google-cloud-auth" | ||
| name: "Authenticate to Google Cloud" | ||
| uses: "google-github-actions/auth@v1" | ||
| uses: "google-github-actions/auth@v2" | ||
| with: | ||
| workload_identity_provider: "projects/774248915715/locations/global/workloadIdentityPools/gh-deploy-pool/providers/gh-provider" | ||
| service_account: "[email protected]" | ||
|
|
||
| - id: "google-cloud-sdk-setup" | ||
| name: "Set up Cloud SDK" | ||
| uses: google-github-actions/setup-gcloud@v1 | ||
| uses: google-github-actions/setup-gcloud@v2 | ||
|
|
||
| - name: Build image with Cloud Build | ||
| run: | | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -20,7 +20,14 @@ jobs: | |
| invoke-cloud-run: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - id: "branch-check" | ||
| name: Fail if branch is not main or dev | ||
| if: github.event_name == 'workflow_dispatch' && (github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev') | ||
| run: | | ||
| echo "This workflow should not be triggered with workflow_dispatch on a branch other than main or dev" | ||
| exit 1 | ||
| - id: "branch-check" | ||
| name: Fail if branch is not main or dev | ||
|
|
@@ -31,22 +38,18 @@ jobs: | |
| - id: "google-cloud-auth" | ||
| name: "Authenticate to Google Cloud" | ||
| uses: "google-github-actions/auth@v1" | ||
| uses: "google-github-actions/auth@v2" | ||
| with: | ||
| workload_identity_provider: "projects/774248915715/locations/global/workloadIdentityPools/gh-deploy-pool/providers/gh-provider" | ||
| service_account: "[email protected]" | ||
|
|
||
| - id: "google-cloud-sdk-setup" | ||
| name: "Set up Cloud SDK" | ||
| uses: google-github-actions/setup-gcloud@v1 | ||
|
|
||
| - id: get_url | ||
| name: Get Cloud Run service URL | ||
| run: | | ||
| echo "CLOUD_RUN_URL=$(gcloud run services describe schema-updater --region australia-southeast1 --format 'value(status.url)')/execute-liquibase?environment=${{ github.event.inputs.environment }}" >> $GITHUB_ENV | ||
| uses: google-github-actions/setup-gcloud@v2 | ||
|
|
||
| - name: Manual Trigger - Invoke Cloud Run | ||
| - id: "invoke-cloud-run" | ||
| name: "Invoke Cloud Run" | ||
| run: | | ||
| curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" -H "Content-Type: application/xml" --data-binary "@db/project.xml" $CLOUD_RUN_URL | ||
| env: | ||
| CLOUD_RUN_URL: ${{ env.CLOUD_RUN_URL }} | ||
| CLOUD_RUN_URL=$(gcloud run services describe schema-updater --region australia-southeast1 --format 'value(status.url)')/execute-liquibase?environment=${{ github.event.inputs.environment }}" | ||
| TOKEN=$(gcloud auth print-identity-token --impersonate-service-account="[email protected]" --audiences="$CLOUD_RUN_URL" --include-email) | ||
| curl -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/xml" --data-binary "@db/project.xml" $CLOUD_RUN_URL | ||