1349 Update Github Action to use WIF auth (#33)

ONSdigital · Mar 4, 2024 · 3fb899d · 3fb899d
1 parent f358e73
commit 3fb899d
Showing 1 changed file with 18 additions and 4 deletions.
diff --git a/.github/workflows/checks-and-tests.yml b/.github/workflows/checks-and-tests.yml
@@ -10,25 +10,39 @@ jobs:
   python-tests:
     runs-on: ubuntu-latest
 
+    # Add "id-token" with the required permissions.
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
     steps:
 
       - name: Checkout
         uses: actions/checkout@v3
 
+      # Authenticate with Google Cloud to acquire an access token
+      - id: auth
+        name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          token_format: 'access_token'
+          workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
+          service_account: ${{ secrets.SERVICE_ACCOUNT }}
+
       # Authenticating with Dockerhub ensures image pulls are authenticated, so not as severely rate limited
       - name: Log in to Dockerhub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       # Also log docker in to GCP artifact registry, to allow image pulls from our private registries
       - name: Log in to Google Docker Artifact Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: europe-west2-docker.pkg.dev
-          username: _json_key
-          password: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_KEY }}
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
 
       - name: Set up Python "3.11"
         uses: actions/setup-python@v4