GH actions use workload identity (#416)

moshemorad · web-flow · commit 0e1cc6846db7 · 2025-03-23T18:43:48.000+02:00
diff --git a/.github/workflows/docker-build-on-tag.yml b/.github/workflows/docker-build-on-tag.yml
@@ -10,8 +10,25 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
+
+    - uses: 'google-github-actions/auth@v2'
+      with:
+        project_id: 'genuine-flight-317411'
+        workload_identity_provider: 'projects/429189597230/locations/global/workloadIdentityPools/github/providers/robusta-repos'
+
+    - name: Set up gcloud CLI
+      uses: google-github-actions/setup-gcloud@v2
+      with:
+        project_id: genuine-flight-317411
+
+    - name: Configure Docker Registry
+      run: gcloud auth configure-docker us-central1-docker.pkg.dev
 
     - name: Login to Docker Hub
       uses: docker/login-action@v1
@@ -28,32 +45,8 @@ jobs:
         context: .
         platforms: linux/arm64,linux/amd64
         push: true
-        tags: robustadev/krr:${{ github.ref_name }}
+        tags: |
+          robustadev/krr:${{ github.ref_name }}
+          us-central1-docker.pkg.dev/genuine-flight-317411/devel/krr:${{ github.ref_name }}
         build-args: |
-          BUILDKIT_INLINE_CACHE=1
-
-    - name: Set up gcloud CLI
-      uses: google-github-actions/setup-gcloud@v0.2.0
-      with:
-        service_account_key: ${{ secrets.GCP_SA_KEY }}
-        project_id: genuine-flight-317411
-        export_default_credentials: true
-
-    # Configure Docker to use the gcloud command-line tool as a credential helper for authentication	
-    - name: Configure Docker	
-      run: |-	
-        gcloud auth configure-docker us-central1-docker.pkg.dev	
-
-    - name: Verify gcloud configuration	
-      run: |-	
-        gcloud config get-value project
-
-    - name: Release Docker to old repo
-      run: |-
-        docker buildx build \
-        --build-arg BUILDKIT_INLINE_CACHE=1 \
-        --platform linux/arm64,linux/amd64 \
-        --cache-from robustadev/krr:${{ github.ref_name }} \
-        --tag us-central1-docker.pkg.dev/genuine-flight-317411/devel/krr:${{ github.ref_name }} \
-        --push \
-        .
+          BUILDKIT_INLINE_CACHE=1
