Set GH actions secrets

carboniferio · Jan 23, 2023 · 3d0cfc3 · 3d0cfc3
1 parent aaf41a0
commit 3d0cfc3
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 7 deletions.
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -1,6 +1,3 @@
-# This workflow will build a golang project
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
-
 name: Go
 
 on:
@@ -9,13 +6,26 @@ on:
   pull_request:
     branches: [ "main" ]
 
+
 jobs:
 
   build:
     runs-on: ubuntu-latest
+
+    permissions: write-all
+
     steps:
     - uses: actions/checkout@v3
 
+    # Configure Workload Identity Federation via a credentials file.
+    - id: 'auth'
+      name: 'Authenticate to Google Cloud'
+      uses: 'google-github-actions/auth@v1'
+      with:
+        workload_identity_provider: 'projects/536185737408/locations/global/workloadIdentityPools/carbonifer-gh-pool/providers/carbonifer-oidc-provider'
+        service_account: '[email protected]'
+      if: github.event_name != 'pull_request'
+
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
@@ -37,5 +47,13 @@ jobs:
     - name: golangci-lint
       uses: golangci/golangci-lint-action@v3
 
-    - name: Test
-      run: go test -v ./... 
+    - name: Test with credentials
+      run: go test -v ./...
+      if: github.event_name != 'pull_request'
+
+    # If run from fork, we should not use tests requiring credentials
+    - name: Test without credentials
+      run: go test -v ./...
+      env:
+        SKIP_WITH_CREDENTIALS: true
+      if: github.event_name == 'pull_request'
diff --git a/.gitignore b/.gitignore
@@ -38,4 +38,7 @@ crash.*.log
 **/__debug_bin
 
 # vscode
-.vscode
+.vscode
+
+# Ignore generated credentials from google-github-actions/auth
+gha-creds-*.json
diff --git a/internal/terraform/terraform.go b/internal/terraform/terraform.go
@@ -135,7 +135,8 @@ func TerraformPlan() (*tfjson.Plan, error) {
 	out := tfexec.Out(tfPlanFile.Name())
 	_, err = tf.Plan(ctx, out)
 	if err != nil {
-		if strings.Contains(err.Error(), "invalid authentication credentials") {
+		if strings.Contains(err.Error(), "invalid authentication credentials") ||
+			strings.Contains(err.Error(), "No credentials loaded") {
 			return nil, &ProviderAuthError{ParentError: err}
 		}
 		return nil, err