From ea451451e2ff36176043b1021384a5c0e4886485 Mon Sep 17 00:00:00 2001
From: vipin-dfe <vipin.chadha@education.gov.uk>
Date: Mon, 9 Dec 2024 12:16:47 +0000
Subject: [PATCH] Update CI to enable Big Query deployments

---
 .github/workflows/actions/deploy/action.yml |  5 +++++
 .github/workflows/build.yml                 | 11 +++++++++++
 .github/workflows/destroy_review.yml        |  2 ++
 3 files changed, 18 insertions(+)

diff --git a/.github/workflows/actions/deploy/action.yml b/.github/workflows/actions/deploy/action.yml
index 7b4f85ae25..450131cad7 100644
--- a/.github/workflows/actions/deploy/action.yml
+++ b/.github/workflows/actions/deploy/action.yml
@@ -32,6 +32,11 @@ runs:
         with:
            creds: ${{ inputs.AZURE_CREDENTIALS }}
 
+      - uses: google-github-actions/auth@v2
+        with:
+          # project_id: get-into-teaching
+          workload_identity_provider: projects/574582782335/locations/global/workloadIdentityPools/get-into-teaching-app/providers/get-into-teaching-app
+
       - name: Get Short SHA
         id: sha
         shell: bash
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ad8cc20749..c1281f755f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -436,6 +436,9 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true
     concurrency: Review_${{github.event.number}}
+    permissions:
+      id-token: write
+      pull-requests: write
     environment:
        name: review
     steps:
@@ -495,6 +498,8 @@ jobs:
     if: github.ref == 'refs/heads/master'
     concurrency: Development
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     environment:
       name: development
     outputs:
@@ -613,6 +618,8 @@ jobs:
     if: github.ref == 'refs/heads/master'
     concurrency: test
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     environment:
        name: test
     steps:
@@ -659,6 +666,8 @@ jobs:
     needs: [ build_base, test ]
     environment:
        name: test
+    permissions:
+      id-token: write
     services:
       postgres:
         image: postgres:13.10
@@ -729,6 +738,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [ integration, development ]
     concurrency: production
+    permissions:
+      id-token: write
     environment:
        name: production
     steps:
diff --git a/.github/workflows/destroy_review.yml b/.github/workflows/destroy_review.yml
index 021f5d8fe2..3c11166777 100644
--- a/.github/workflows/destroy_review.yml
+++ b/.github/workflows/destroy_review.yml
@@ -6,6 +6,8 @@ on:
 jobs:
   destroy:
     name: Destroy
+    permissions:
+      id-token: write
     environment:
        name: review
     runs-on: ubuntu-latest