diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index b646de04..6341e03b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -16,8 +16,6 @@ on: required: false ssh_private_key: required: true - credentials_json: - required: false apple_app_specific_password: required: false fastlane_password: @@ -347,6 +345,9 @@ jobs: # if: github.ref == 'refs/heads/main' needs: - build + permissions: + id-token: write + contents: read steps: ### Checking out our Repo to get pyproject.toml and other files - uses: actions/checkout@v3 @@ -358,12 +359,13 @@ jobs: - name: List run: ls -la - ### Authenticating with gcloud + ### Authenticating with gcloud via keyless Workload Identity Federation - name: Authenticate with Google cloud - uses: google-github-actions/auth@v2 + uses: google-github-actions/auth@v3 with: - credentials_json: ${{ secrets.credentials_json }} - project_id: ${{ inputs.project_id }} + project_id: integration-server-326115 + workload_identity_provider: projects/497784144587/locations/global/workloadIdentityPools/github-pool/providers/github-provider + service_account: github-actions@integration-server-326115.iam.gserviceaccount.com create_credentials_file: true ### Setting up gcloud cli diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b4cd1890..5d14ea33 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,6 +8,9 @@ on: jobs: build: uses: ./.github/workflows/build.yaml + permissions: + id-token: write + contents: read with: deploy: true secrets: @@ -15,7 +18,6 @@ jobs: pypi_token: ${{ secrets.PYPI_TOKEN }} pypi_test_token: ${{ secrets.PYPI_TEST_TOKEN }} ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }} - credentials_json: ${{ secrets.GCP_CREDENTIALS }} apple_app_specific_password: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} fastlane_password: ${{ secrets.FASTLANE_PASSWORD }} match_password: ${{ secrets.MATCH_PASSWORD }} diff --git a/.github/workflows/staging.yaml b/.github/workflows/staging.yaml index abdfff27..5ae14c9c 100644 --- a/.github/workflows/staging.yaml +++ b/.github/workflows/staging.yaml @@ -9,6 +9,9 @@ on: jobs: build: uses: ./.github/workflows/build.yaml + permissions: + id-token: write + contents: read with: deploy: false secrets: @@ -16,7 +19,6 @@ jobs: pypi_token: ${{ secrets.PYPI_TOKEN }} pypi_test_token: ${{ secrets.PYPI_TEST_TOKEN }} ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }} - credentials_json: ${{ secrets.GCP_CREDENTIALS }} apple_app_specific_password: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} fastlane_password: ${{ secrets.FASTLANE_PASSWORD }} match_password: ${{ secrets.MATCH_PASSWORD }}