From 48c68d53231f3d22328eadaf1be1f920ad821093 Mon Sep 17 00:00:00 2001 From: Mehdi ABAAKOUK Date: Fri, 13 Sep 2024 16:42:32 +0200 Subject: [PATCH] ci: use OIDC to get the valid token Change-Id: I91c9cf3b2f067c0f343c6415e00c80cdcc9f24a3 --- .github/workflows/release.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 62de8b4..923b02b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,5 +1,6 @@ name: Release permissions: + id-token: write contents: write on: @@ -44,21 +45,34 @@ jobs: done set -e + - name: Setup Google Auth 🔧 + id: auth + # yamllint disable-line rule:line-length + # nosemgrep: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha + uses: google-github-actions/auth@v2 + with: + # yamllint disable-line rule:line-length + workload_identity_provider: projects/306279023132/locations/global/workloadIdentityPools/github/providers/github + service_account: github-actions@chrome-web-store-api-435512.iam.gserviceaccount.com + token_format: access_token + - name: Upload to Google Web Store env: VERSION: ${{ github.event.release.tag_name }} GOOGLE_CHROME_WEBSTORE_APP_ID: ${{ secrets.GOOGLE_CHROME_WEBSTORE_APP_ID }} - GOOGLE_CHROME_WEBSTORE_TOKEN: ${{ secrets.GOOGLE_CHROME_WEBSTORE_TOKEN }} + GOOGLE_CHROME_WEBSTORE_TOKEN: ${{ steps.auth.outputs.access_token }} run: | name="mergify-chrome-${VERSION}.zip" curl \ -v \ + --fail \ -H "Authorization: Bearer ${GOOGLE_CHROME_WEBSTORE_TOKEN}" \ -H "x-goog-api-version: 2" \ -X PUT \ -T "$name" \ "https://www.googleapis.com/upload/chromewebstore/v1.1/items/${GOOGLE_CHROME_WEBSTORE_APP_ID}" curl -v \ + --fail \ -H "Authorization: Bearer $GOOGLE_CHROME_WEBSTORE_TOKEN" \ -H "x-goog-api-version: 2" \ -H "Content-Length: 0" \