ci: keyless auth

agrc · Feb 23, 2022 · 5db215d · 5db215d
1 parent d170616
commit 5db215d
Showing 1 changed file with 42 additions and 14 deletions.
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -53,19 +53,33 @@ jobs:
       - name: 🧪 Run tests
         run: npm test -- --watchAll=false
 
-  deploy-prod:
-    name: Deploy to production
+  deploy-dev:
+    name: Deploy to staging
+    runs-on: ubuntu-latest
     needs: [test-unit, test-functional]
     environment:
-      name: prod
-      url: https://atlas.utah.gov
-    if: github.ref == 'refs/heads/main'
-    runs-on: ubuntu-latest
+      name: dev
+      url: https://atlas.dev.utah.gov
+    if: github.ref == 'refs/heads/dev'
+    permissions:
+      contents: read
+      id-token: write
+      deployments: write
 
     steps:
       - name: ⬇️ Set up code
         uses: actions/checkout@v2
 
+      - id: auth
+        name: 🗝️ Authenticate to Google Cloud
+        uses: google-github-actions/auth@v0.4.4
+        with:
+          token_format: access_token
+          access_token_scopes: 'email, openid, https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/firebase'
+          workload_identity_provider: ${{ secrets.IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+          create_credentials_file: true
+
       - name: ⎔ Setup Node.js
         uses: actions/setup-node@v2
         with:
@@ -97,24 +111,38 @@ jobs:
           repoToken: '${{ secrets.GITHUB_TOKEN }}'
           firebaseServiceAccount: '${{ secrets.SERVICE_ACCOUNT }}'
           channelId: live
-          projectId: '${{ secrets.PROJECT_ID }}'
+          projectId: 'ut-dts-agrc-atlas-prod'
           target: '${{ secrets.PROJECT_ID }}'
         env:
           FIREBASE_CLI_PREVIEWS: hostingchannels
 
-  deploy-dev:
-    name: Deploy to staging
-    runs-on: ubuntu-latest
+  deploy-prod:
+    name: Deploy to production
     needs: [test-unit, test-functional]
     environment:
-      name: dev
-      url: https://atlas.dev.utah.gov
-    if: github.ref == 'refs/heads/dev'
+      name: prod
+      url: https://atlas.utah.gov
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      deployments: write
 
     steps:
       - name: ⬇️ Set up code
         uses: actions/checkout@v2
 
+      - id: auth
+        name: 🗝️ Authenticate to Google Cloud
+        uses: google-github-actions/auth@v0.4.4
+        with:
+          token_format: access_token
+          access_token_scopes: 'email, openid, https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/firebase'
+          workload_identity_provider: ${{ secrets.IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+          create_credentials_file: true
+
       - name: ⎔ Setup Node.js
         uses: actions/setup-node@v2
         with:
@@ -146,7 +174,7 @@ jobs:
           repoToken: '${{ secrets.GITHUB_TOKEN }}'
           firebaseServiceAccount: '${{ secrets.SERVICE_ACCOUNT }}'
           channelId: live
-          projectId: 'ut-dts-agrc-atlas-prod'
+          projectId: '${{ secrets.PROJECT_ID }}'
           target: '${{ secrets.PROJECT_ID }}'
         env:
           FIREBASE_CLI_PREVIEWS: hostingchannels