Skip to content

Commit

Permalink
feat: allow opt-out of exporting environment variables (#157)
Browse files Browse the repository at this point in the history
This allows users to opt-out of exporting environment variables. This might be helpful if they **don't** want future steps to be authenticated, or if the exported environment variables conflict with other values.
  • Loading branch information
sethvargo authored Mar 24, 2022
1 parent 38d3c2f commit d16fd89
Show file tree
Hide file tree
Showing 4 changed files with 84 additions and 15 deletions.
23 changes: 22 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ and permissions on Google Cloud.
# Ignore generated credentials from google-github-actions/auth
gha-creds-*.json
```
- This action runs using Node 16. If you are using self-hosted GitHub Actions
runners, you must use runner version [2.285.0](https://github.com/actions/virtual-environments)
or newer.
Expand Down Expand Up @@ -209,6 +209,27 @@ regardless of the authentication mechanism.
- uses: 'google-github-actions/auth@v0'
```
- `export_environment_variables`: (Optional) If true, the action will export
common environment variables which are known to be consumed by popular
downstream libraries and tools, including:
- `CLOUDSDK_PROJECT`
- `CLOUDSDK_CORE_PROJECT`
- `GCP_PROJECT`
- `GCLOUD_PROJECT`
- `GOOGLE_CLOUD_PROJECT`
If "create_credentials_file" is true, additional environment variables are
exported:
- `CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE`
- `GOOGLE_APPLICATION_CREDENTIALS`
- `GOOGLE_GHA_CREDS_PATH`
If false, the action will not export any environment variables, meaning
future steps are unlikely to be automatically authenticated to Google Cloud.
The default value is true.
- `delegates`: (Optional) List of additional service account emails or unique
identities to use for impersonation in the chain. By default there are no
delegates.
Expand Down
23 changes: 23 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,29 @@ inputs:
used for authentication via gcloud and Google Cloud SDKs.
default: true
required: false
export_environment_variables:
description: |-
If true, the action will export common environment variables which are
known to be consumed by popular downstream libraries and tools, including:
- CLOUDSDK_PROJECT
- CLOUDSDK_CORE_PROJECT
- GCP_PROJECT
- GCLOUD_PROJECT
- GOOGLE_CLOUD_PROJECT
If "create_credentials_file" is true, additional environment variables are
exported:
- CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE
- GOOGLE_APPLICATION_CREDENTIALS
- GOOGLE_GHA_CREDS_PATH
If false, the action will not export any environment variables, meaning
future steps are unlikely to be automatically authenticated to Google
Cloud.
default: true
required: false
token_format:
description: |-
Output format for the generated authentication token. For OAuth 2.0 access
Expand Down
2 changes: 1 addition & 1 deletion dist/main/index.js

Large diffs are not rendered by default.

51 changes: 38 additions & 13 deletions src/main.ts
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ async function run(): Promise<void> {
getInput('audience') || `https://iam.googleapis.com/${workloadIdentityProvider}`;
const credentialsJSON = getInput('credentials_json');
const createCredentialsFile = getBooleanInput('create_credentials_file');
const exportEnvironmentVariables = getBooleanInput('export_environment_variables');
const tokenFormat = getInput('token_format');
const delegates = parseCSV(getInput('delegates'));

Expand Down Expand Up @@ -163,26 +164,32 @@ async function run(): Promise<void> {
// Output to be available to future steps.
setOutput('credentials_file_path', credentialsPath);

// CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE is picked up by gcloud to use
// a specific credential file (subject to change and equivalent to auth/credential_file_override)
exportVariable('CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE', credentialsPath);
if (exportEnvironmentVariables) {
// CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE is picked up by gcloud to
// use a specific credential file (subject to change and equivalent to
// auth/credential_file_override).
exportVariableAndWarn('CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE', credentialsPath);

// GOOGLE_APPLICATION_CREDENTIALS is used by Application Default Credentials
// in all GCP client libraries
exportVariable('GOOGLE_APPLICATION_CREDENTIALS', credentialsPath);
// GOOGLE_APPLICATION_CREDENTIALS is used by Application Default
// Credentials in all GCP client libraries.
exportVariableAndWarn('GOOGLE_APPLICATION_CREDENTIALS', credentialsPath);

// GOOGLE_GHA_CREDS_PATH is used by other Google GitHub Actions
exportVariable('GOOGLE_GHA_CREDS_PATH', credentialsPath);
// GOOGLE_GHA_CREDS_PATH is used by other Google GitHub Actions.
exportVariableAndWarn('GOOGLE_GHA_CREDS_PATH', credentialsPath);
}
}

// Set the project ID environment variables to the computed values.
const computedProjectID = await client.getProjectID();
setOutput('project_id', computedProjectID);
exportVariable('CLOUDSDK_PROJECT', computedProjectID);
exportVariable('CLOUDSDK_CORE_PROJECT', computedProjectID);
exportVariable('GCP_PROJECT', computedProjectID);
exportVariable('GCLOUD_PROJECT', computedProjectID);
exportVariable('GOOGLE_CLOUD_PROJECT', computedProjectID);

if (exportEnvironmentVariables) {
exportVariableAndWarn('CLOUDSDK_CORE_PROJECT', computedProjectID);
exportVariableAndWarn('CLOUDSDK_PROJECT', computedProjectID);
exportVariableAndWarn('GCLOUD_PROJECT', computedProjectID);
exportVariableAndWarn('GCP_PROJECT', computedProjectID);
exportVariableAndWarn('GOOGLE_CLOUD_PROJECT', computedProjectID);
}

switch (tokenFormat) {
case '': {
Expand Down Expand Up @@ -261,4 +268,22 @@ async function run(): Promise<void> {
}
}

/**
* exportVariableAndWarn exports the given key as an environment variable set to
* the provided value. If a value already exists, it is overwritten and an
* warning is emitted.
*
* @param key Environment variable key.
* @param value Environment variable value.
*/
function exportVariableAndWarn(key: string, value: string) {
const existing = process.env[key];
if (existing) {
const old = JSON.stringify(existing);
logWarning(`Overwriting existing environment variable ${key} (was: ${old})`);
}

exportVariable(key, value);
}

run();

0 comments on commit d16fd89

Please sign in to comment.