Remove github service account keys and replace them with OIDC (#4)

quortex · Aug 3, 2023 · 77aaa2f · 77aaa2f
1 parent 732c004
commit 77aaa2f
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -14,6 +14,9 @@ jobs:
   build-and-push:
     name: BuildAndPush
     runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
 
     env:
       IMAGE_NAME: prometheus-sleeker
@@ -22,7 +25,7 @@ jobs:
     steps:
       # This step uses Github's checkout-action: https://github.com/actions/checkout
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Deduced the appropriate tag for the image (inspired by the docker action https://github.com/actions-hub/docker)
       - name: Set env
@@ -38,11 +41,11 @@ jobs:
           fi && \
           echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV
       # Setup gcloud CLI
-      - uses: google-github-actions/[email protected]
+      - uses: google-github-actions/auth@v1
         with:
-          service_account_key: ${{ secrets.GCP_SA_KEY }}
-          project_id: ${{ env.GCP_PROJECT_ID }}
-          export_default_credentials: true
+          token_format: 'access_token'
+          workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_POOL }}
+          service_account: ${{ env.SERVICE_ACCOUNT }}
 
       # Build docker image
       - name: Build