erzz · erzz · May 9, 2022 · May 9, 2022 · May 9, 2022 · May 9, 2022
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,15 +1,28 @@
 name: Tests
 on: push
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
-  # <---------------- TEST BASIC CONFIG ------------------>
   basic:
-    name: Basic
+    name: SA Key
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
 
+      - name: debug
+        run: |
+          echo "${{ secrets.TEST_PROJECT }}" >> project.txt
+          echo "${{ secrets.TEST_SA }}" >> project.txt
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: project
+          path: project.txt
+
       - name: Start
         uses: ./
         with:
@@ -38,3 +51,41 @@ jobs:
           result: ${{ steps.deploy.outcome }}
           version: ${{ github.ref }}
 
+  oidc:
+    name: OIDC
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Start
+        uses: ./
+        with:
+          gcp-auth-type: oidc
+          google-cloud-project: ${{ secrets.TEST_PROJECT }}
+          team: google-dep-metrics
+          service: action-app-oidc
+          environment: test
+          status: started
+          result: pending
+          version: ${{ github.ref }}
+          service-account: ${{ secrets.OIDC_SA_EMAIL }}
+          workload-identity-provider: ${{ secrets.WIP }}
+
+      - name: Fake deploy
+        id: deploy
+        run: echo "Deployed"
+
+      - name: Finish
+        uses: ./
+        with:
+          gcp-auth-type: oidc
+          service-account: ${{ secrets.OIDC_SA_EMAIL }}
+          workload-identity-provider: ${{ secrets.WIP }}
+          google-cloud-project: ${{ secrets.TEST_PROJECT }}
+          team: google-dep-metrics
+          service: action-app-oidc
+          environment: test
+          status: finished
+          result: ${{ steps.deploy.outcome }}
+          version: ${{ github.ref }}
diff --git a/action.yml b/action.yml
@@ -5,12 +5,24 @@ branding:
   color: blue
   icon: bar-chart
 inputs:
+  # <----------- SELECT AUTHENTICATION METHOD ------------>
+  gcp-auth-type:
+    required: false
+    description: "GCP Authentication is using Service Account Key by default. Specify `oidc` if you wish to use Open ID Connect authentication instead."
+    default: "sa-key"
+  service-account-keyfile:
+    description: "A secret holding the service account keyfile used when `gcp-auth-type` is `sa-key`"
+    required: false
+  service-account:
+    description: "The service acount to impersonate when `gcp-auth-type` is `oidc`"
+    required: false
+  workload-identity-provider:
+    description: "The workload identity provider to utilise when `gcp-auth-type` is `oidc`"
+    required: false
+  # <------------------ METRICS INPUTS ------------------->
   google-cloud-project:
     description: "The Google Cloud project_id to which the metrics should be sent"
     required: true
-  service-account-keyfile:
-    description: "A secret holding the service account keyfile to use for authentication with your project"
-    required: true
   team:
     description: "The name of the team the deployed service belongs to."
     required: true
@@ -36,11 +48,29 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: Authenticate to GCP (OIDC)
+      id: oidc
+      if: ${{ inputs.gcp-auth-type == 'oidc' }}
+      uses: google-github-actions/auth@v0
+      with:
+        workload_identity_provider: ${{ inputs.workload-identity-provider }}
+        service_account: ${{ inputs.service-account }}
+        create_credentials_file: true
+        export_environment_variables: true
+
+    - name: Authenticate to GCP (SA Key)
+      id: sa-key
+      if: ${{ inputs.gcp-auth-type == 'sa-key' }}
+      uses: google-github-actions/auth@v0
+      with:
+        credentials_json: ${{ inputs.service-account-keyfile }}
+        create_credentials_file: true
+        export_environment_variables: true
+
     - name: Send metric
       shell: bash
       env:
         GOOGLE_CLOUD_PROJECT: ${{ inputs.google-cloud-project }}
-        SA_KEY: ${{ inputs.service-account-keyfile }}
         TEAM: ${{ inputs.team}}
         SERVICE: ${{ inputs.service }}
         ENVIRONMENT: ${{ inputs.environment }}
@@ -49,7 +79,16 @@ runs:
         VERSION: ${{ inputs.version }}
         METRIC_VALUE: ${{ inputs.metric-value }}
       run: |
-        echo "$SA_KEY" > $(pwd)/sa.json
-        export GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/sa.json
+        if [[ "${{ inputs.gcp-auth-type }}" == "oidc" ]]; then
+          echo "Detected OIDC Authentication"
+          export GOOGLE_APPLICATION_CREDENTIALS=${{ steps.oidc.outputs.credentials_file_path }}
+        elif [[ "${{ inputs.gcp-auth-type }}" == "sa-key" ]]; then
+          echo "Detected Service Account Key Authentication"
+          export GOOGLE_APPLICATION_CREDENTIALS=${{ steps.sa-key.outputs.credentials_file_path }}
+        else
+          echo "Could not determine the path to the credentials file, exiting." && exit 1
+        fi
+
+        # Send metric
         python -m pip install google-cloud-monitoring
-        python3 ${{ github.action_path }}/push_deploy_metric.py --team "$TEAM" --service "$SERVICE" --environment "$ENVIRONMENT" --status "$STATUS" --result "$RESULT" --version "$VERSION" --metric-value "$METRIC_VALUE"
+        python3 ${{ github.action_path }}/push_deploy_metric.py --auth-type "${{ inputs.gcp-auth-type }}" --team "$TEAM" --service "$SERVICE" --environment "$ENVIRONMENT" --status "$STATUS" --result "$RESULT" --version "$VERSION" --metric-value "$METRIC_VALUE"
diff --git a/push_deploy_metric.py b/push_deploy_metric.py
@@ -2,7 +2,7 @@
 import pprint
 import time
 import argparse
-from google.oauth2 import service_account
+import google.auth
 from google.cloud import monitoring_v3
 
 parser = argparse.ArgumentParser()
@@ -14,12 +14,12 @@
 parser.add_argument("--result", action="store", dest="dep_result", help="One of 'queued' 'pending' 'error' 'in_progress' 'failure' 'inactive' or 'success'", type=str)
 parser.add_argument("--version", action="store", dest="dep_version", help="The version or commit being deployed", type=str)
 parser.add_argument("--metric-value", action="store", dest="metric_value", help="The count to give for this deployment status - usually 1", type=int)
+parser.add_argument("--auth-type", action="store", dest="auth_type", help="One of either sa-key or oidc to determine the type of authentication file provided", type=str)
 args = parser.parse_args()
 
 project_id = os.environ["GOOGLE_CLOUD_PROJECT"]
 
-credentials = service_account.Credentials.from_service_account_file(
-    os.environ["GOOGLE_APPLICATION_CREDENTIALS"])
+credentials, project_id = google.auth.default()
 
 print(f"Using service account {credentials.service_account_email} for {project_id}")