From 1863d530fe65475493c856f30c273ef3949b24f3 Mon Sep 17 00:00:00 2001
From: EddieLF <eddieformaini@gmail.com>
Date: Thu, 16 Nov 2023 19:24:21 +1100
Subject: [PATCH 1/5] Update actions to use google-github-actions/auth@v1 and
 fix input syntax

---
 .github/workflows/deploy_config.yaml    | 6 +++++-
 .github/workflows/deploy_container.yaml | 8 ++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deploy_config.yaml b/.github/workflows/deploy_config.yaml
index 76d0246..55910a6 100644
--- a/.github/workflows/deploy_config.yaml
+++ b/.github/workflows/deploy_config.yaml
@@ -140,11 +140,15 @@ jobs:
       - name: "checkout repo"
         uses: actions/checkout@v3
 
+      - name: "auth service-account"
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+
       - name: "gcloud setup"
         uses: google-github-actions/setup-gcloud@v1
         with:
           project_id:  ${{ env.PROJECT }}
-          service_account_key: ${{ secrets.GCP_SERVER_DEPLOY_KEY }}
 
       - uses: actions/setup-python@v4
         with:
diff --git a/.github/workflows/deploy_container.yaml b/.github/workflows/deploy_container.yaml
index 13a5d47..f2f8be8 100644
--- a/.github/workflows/deploy_container.yaml
+++ b/.github/workflows/deploy_container.yaml
@@ -31,11 +31,15 @@ jobs:
       - name: "checkout repo"
         uses: actions/checkout@v3
 
+      - name: "auth service-account"
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+
       - name: "gcloud setup"
-        uses: google-github-actions/setup-gcloud@v0
+        uses: google-github-actions/setup-gcloud@v1
         with:
           project_id: analysis-runner
-          service_account_key: ${{ secrets.GCP_SERVER_DEPLOY_KEY }}
 
       - name: "gcloud docker auth"
         run: |

From e8fd5c2716372d52352fee4529b3fb74f0347178 Mon Sep 17 00:00:00 2001
From: Michael Franklin <22381693+illusional@users.noreply.github.com>
Date: Fri, 17 Nov 2023 08:31:10 +1100
Subject: [PATCH 2/5] Convert to workload identity federation

---
 .github/workflows/deploy_config.yaml | 35 ++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/deploy_config.yaml b/.github/workflows/deploy_config.yaml
index 55910a6..bc10c2d 100644
--- a/.github/workflows/deploy_config.yaml
+++ b/.github/workflows/deploy_config.yaml
@@ -52,10 +52,16 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - uses: google-github-actions/setup-gcloud@v0
+      - id: "google-cloud-auth"
+        name: "Authenticate to Google Cloud"
+        uses: "google-github-actions/auth@v1"
         with:
-          project_id: cpg-common
-          service_account_key: ${{ secrets.GCP_SERVER_DEPLOY_KEY }}
+          workload_identity_provider: "projects/1051897107465/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
+          service_account: "gh-images-deployer@cpg-common.iam.gserviceaccount.com"
+
+      - id: "google-cloud-sdk-setup"
+        name: "Set up Cloud SDK"
+        uses: google-github-actions/setup-gcloud@v1
 
       - run: |
           gcloud auth configure-docker ${{ env.DOCKER_PREFIX }}
@@ -100,10 +106,16 @@ jobs:
         echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
         cd -
 
-    - uses: google-github-actions/setup-gcloud@v0
+    - id: "google-cloud-auth"
+      name: "Authenticate to Google Cloud"
+      uses: "google-github-actions/auth@v1"
       with:
-        project_id: cpg-common
-        service_account_key: ${{ secrets.GCP_SERVER_DEPLOY_KEY }}
+        workload_identity_provider: "projects/1051897107465/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
+        service_account: "gh-images-deployer@cpg-common.iam.gserviceaccount.com"
+
+    - id: "google-cloud-sdk-setup"
+      name: "Set up Cloud SDK"
+      uses: google-github-actions/setup-gcloud@v1
 
     - run: |
         gcloud auth configure-docker ${{ env.DOCKER_PREFIX }}
@@ -140,12 +152,15 @@ jobs:
       - name: "checkout repo"
         uses: actions/checkout@v3
 
-      - name: "auth service-account"
-        uses: google-github-actions/auth@v1
+      - id: "google-cloud-auth"
+        name: "Authenticate to Google Cloud"
+        uses: "google-github-actions/auth@v1"
         with:
-          credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+          workload_identity_provider: "projects/1051897107465/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
+          service_account: "gh-images-deployer@cpg-common.iam.gserviceaccount.com"
 
-      - name: "gcloud setup"
+      - id: "google-cloud-sdk-setup"
+        name: "Set up Cloud SDK"
         uses: google-github-actions/setup-gcloud@v1
         with:
           project_id:  ${{ env.PROJECT }}

From eb94f76044ca4f541e5fbe1bc336044f2498b693 Mon Sep 17 00:00:00 2001
From: Michael Franklin <22381693+illusional@users.noreply.github.com>
Date: Fri, 17 Nov 2023 08:32:17 +1100
Subject: [PATCH 3/5] Convert deploy_container to workload identity federation

---
 .github/workflows/deploy_container.yaml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/deploy_container.yaml b/.github/workflows/deploy_container.yaml
index f2f8be8..9e4beb8 100644
--- a/.github/workflows/deploy_container.yaml
+++ b/.github/workflows/deploy_container.yaml
@@ -31,15 +31,16 @@ jobs:
       - name: "checkout repo"
         uses: actions/checkout@v3
 
-      - name: "auth service-account"
-        uses: google-github-actions/auth@v1
+      - id: "google-cloud-auth"
+        name: "Authenticate to Google Cloud"
+        uses: "google-github-actions/auth@v1"
         with:
-          credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+          workload_identity_provider: "projects/1051897107465/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
+          service_account: "gh-images-deployer@cpg-common.iam.gserviceaccount.com"
 
-      - name: "gcloud setup"
+      - id: "google-cloud-sdk-setup"
+        name: "Set up Cloud SDK"
         uses: google-github-actions/setup-gcloud@v1
-        with:
-          project_id: analysis-runner
 
       - name: "gcloud docker auth"
         run: |

From 5baf3c4054cd816f41e113691589d10147328e88 Mon Sep 17 00:00:00 2001
From: Michael Franklin <22381693+illusional@users.noreply.github.com>
Date: Fri, 17 Nov 2023 08:35:16 +1100
Subject: [PATCH 4/5] Add permissions to github action

---
 .github/workflows/deploy_config.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/deploy_config.yaml b/.github/workflows/deploy_config.yaml
index bc10c2d..d7ee07d 100644
--- a/.github/workflows/deploy_config.yaml
+++ b/.github/workflows/deploy_config.yaml
@@ -5,6 +5,10 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  id-token: write
+  contents: read
+
 env:
   PROJECT: 'cpg-common'
   CONFIG_DESTINATION: 'gs://cpg-config/templates/images/images.toml'

From 1e61c8874c267e64f9fab4d8d3a59fb4c110b8af Mon Sep 17 00:00:00 2001
From: Michael Franklin <22381693+illusional@users.noreply.github.com>
Date: Fri, 17 Nov 2023 08:37:46 +1100
Subject: [PATCH 5/5] Give deploy_container id-token permissions

---
 .github/workflows/deploy_container.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/deploy_container.yaml b/.github/workflows/deploy_container.yaml
index 9e4beb8..2f79bc7 100644
--- a/.github/workflows/deploy_container.yaml
+++ b/.github/workflows/deploy_container.yaml
@@ -12,6 +12,10 @@ on:
         description: "Extra docker CLI params"
         required: false
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   deployImage:
     runs-on: ubuntu-latest