feat: do workflow - IAM track (#26)

fix #19 
tested by trigger on push on branch

.github/workflows/ci.yml

@@ -39,3 +39,4 @@ jobs:
     uses: 'abcxyz/pkg/.github/workflows/go-test.yml@main' # ratchet:exclude
     with:
       go_version: '1.20'
+

.github/workflows/iam-handle.yml

@@ -0,0 +1,84 @@
+# Copyright 2023 The Authors (see AUTHORS file)
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#      http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'aod-iam-handle'
+# TODO(#30): Support pull_request labeled triggering event. Current workflow
+# requires the triggering event must be pull_request_review as it relies on this
+# event to get the review status and approval submit time as IAM permission
+# expiration start time.
+on:
+  workflow_call:
+    inputs:
+      workload_identity_provider:
+        description: 'The full identifier of the Workload Identity Provider, including the project number, pool name, and provider name.'
+        type: 'string'
+        required: true
+      service_account:
+        description: 'Email address or unique identifier of the Google Cloud service account for which to generate credentials.'
+        type: 'string'
+        required: true
+      aod_cli_version:
+        description: 'The version of AOD CLI.'
+        type: 'string'
+        default: 'latest'
+        required: false
+      go_version:
+        description: 'The version of Golang.'
+        type: 'string'
+        default: '1.20'
+        required: false
+
+jobs:
+  handle:
+    # Only handle the request when the PR is approved.
+    if: github.event.review.state == 'approved'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    name: 'Handle IAM Request'
+    steps:
+      - name: 'Checkout Triggering Branch'
+        uses: 'actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab' # ratchet:actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+      - name: 'Setup Go'
+        uses: 'actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568' # ratchet:actions/setup-go@v3
+        with:
+          go-version: ${{ inputs.go_version }}
+      - name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033' # ratchet:google-github-actions/auth@v1
+        with:
+          workload_identity_provider: '${{ inputs.workload_identity_provider }}'
+          service_account: '${{ inputs.service_account }}'
+          token_format: 'access_token'
+      - name: 'Install AOD CLI'
+        run: 'go install github.com/abcxyz/access-on-demand/cmd/aod@${{ inputs.aod_cli_version }}'
+      # Duration labels need to be predixed with "duration-", an example is "duration-2h",
+      - name: 'Get Duration From Label'
+        run: |
+          names='${{ toJson(github.event.pull_request.labels.*.name) }}'
+          for name in $(echo "$names" | jq -r '.[]'); do
+            if [[ $name == duration-* ]]; then
+              IFS='-' read -r part1 part2 <<< "$name"
+              echo "LABELED_DURATION=$part2" >> $GITHUB_ENV
+              break
+            fi
+          done
+      - name: 'Run AOD CLI'
+        env:
+          DURATION: ${{ env.LABELED_DURATION || '2h' }}
+          FILE_PATH: ${{ github.workspace }}/iam.yaml
+          START_TIME: ${{ github.event.review.submitted_at }}
+        run: 'aod iam handle -path $FILE_PATH -duration $DURATION -start-time $START_TIME'