feat: allow opt-out of exporting environment variables

README.md

@@ -44,7 +44,7 @@ and permissions on Google Cloud.
     # Ignore generated credentials from google-github-actions/auth
     gha-creds-*.json
     ```
-    
+
 -   This action runs using Node 16. If you are using self-hosted GitHub Actions
     runners, you must use runner version [2.285.0](https://github.com/actions/virtual-environments)
     or newer.
@@ -209,6 +209,27 @@ regardless of the authentication mechanism.
         - uses: 'google-github-actions/auth@v0'
      ```
 
+-   `export_environment_variables`: (Optional) If true, the action will export
+    common environment variables which are known to be consumed by popular
+    downstream libraries and tools, including:
+
+    -   `CLOUDSDK_PROJECT`
+    -   `CLOUDSDK_CORE_PROJECT`
+    -   `GCP_PROJECT`
+    -   `GCLOUD_PROJECT`
+    -   `GOOGLE_CLOUD_PROJECT`
+
+    If "create_credentials_file" is true, additional environment variables are
+    exported:
+
+    -   `CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE`
+    -   `GOOGLE_APPLICATION_CREDENTIALS`
+    -   `GOOGLE_GHA_CREDS_PATH`
+
+    If false, the action will not export any environment variables, meaning
+    future steps are unlikely to be automatically authenticated to Google Cloud.
+    The default value is true.
+
 -   `delegates`: (Optional) List of additional service account emails or unique
     identities to use for impersonation in the chain. By default there are no
     delegates.

action.yml

@@ -58,6 +58,29 @@ inputs:
       used for authentication via gcloud and Google Cloud SDKs.
     default: true
     required: false
+  export_environment_variables:
+    description: |-
+      If true, the action will export common environment variables which are
+      known to be consumed by popular downstream libraries and tools, including:
+
+      - CLOUDSDK_PROJECT
+      - CLOUDSDK_CORE_PROJECT
+      - GCP_PROJECT
+      - GCLOUD_PROJECT
+      - GOOGLE_CLOUD_PROJECT
+
+      If "create_credentials_file" is true, additional environment variables are
+      exported:
+
+      - CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE
+      - GOOGLE_APPLICATION_CREDENTIALS
+      - GOOGLE_GHA_CREDS_PATH
+
+      If false, the action will not export any environment variables, meaning
+      future steps are unlikely to be automatically authenticated to Google
+      Cloud.
+    default: true
+    required: false
   token_format:
     description: |-
       Output format for the generated authentication token. For OAuth 2.0 access

src/main.ts

@@ -59,6 +59,7 @@ async function run(): Promise<void> {
       getInput('audience') || `https://iam.googleapis.com/${workloadIdentityProvider}`;
     const credentialsJSON = getInput('credentials_json');
     const createCredentialsFile = getBooleanInput('create_credentials_file');
+    const exportEnvironmentVariables = getBooleanInput('export_environment_variables');
     const tokenFormat = getInput('token_format');
     const delegates = parseCSV(getInput('delegates'));
 
@@ -163,26 +164,32 @@ async function run(): Promise<void> {
       // Output to be available to future steps.
       setOutput('credentials_file_path', credentialsPath);
 
-      // CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE is picked up by gcloud to use
-      // a specific credential file (subject to change and equivalent to auth/credential_file_override)
-      exportVariable('CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE', credentialsPath);
+      if (exportEnvironmentVariables) {
+        // CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE is picked up by gcloud to
+        // use a specific credential file (subject to change and equivalent to
+        // auth/credential_file_override).
+        exportVariableAndWarn('CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE', credentialsPath);
 
-      // GOOGLE_APPLICATION_CREDENTIALS is used by Application Default Credentials
-      // in all GCP client libraries
-      exportVariable('GOOGLE_APPLICATION_CREDENTIALS', credentialsPath);
+        // GOOGLE_APPLICATION_CREDENTIALS is used by Application Default
+        // Credentials in all GCP client libraries.
+        exportVariableAndWarn('GOOGLE_APPLICATION_CREDENTIALS', credentialsPath);
 
-      // GOOGLE_GHA_CREDS_PATH is used by other Google GitHub Actions
-      exportVariable('GOOGLE_GHA_CREDS_PATH', credentialsPath);
+        // GOOGLE_GHA_CREDS_PATH is used by other Google GitHub Actions.
+        exportVariableAndWarn('GOOGLE_GHA_CREDS_PATH', credentialsPath);
+      }
     }
 
     // Set the project ID environment variables to the computed values.
     const computedProjectID = await client.getProjectID();
     setOutput('project_id', computedProjectID);
-    exportVariable('CLOUDSDK_PROJECT', computedProjectID);
-    exportVariable('CLOUDSDK_CORE_PROJECT', computedProjectID);
-    exportVariable('GCP_PROJECT', computedProjectID);
-    exportVariable('GCLOUD_PROJECT', computedProjectID);
-    exportVariable('GOOGLE_CLOUD_PROJECT', computedProjectID);
+
+    if (exportEnvironmentVariables) {
+      exportVariableAndWarn('CLOUDSDK_CORE_PROJECT', computedProjectID);
+      exportVariableAndWarn('CLOUDSDK_PROJECT', computedProjectID);
+      exportVariableAndWarn('GCLOUD_PROJECT', computedProjectID);
+      exportVariableAndWarn('GCP_PROJECT', computedProjectID);
+      exportVariableAndWarn('GOOGLE_CLOUD_PROJECT', computedProjectID);
+    }
 
     switch (tokenFormat) {
       case '': {
@@ -261,4 +268,22 @@ async function run(): Promise<void> {
   }
 }
 
+/**
+ * exportVariableAndWarn exports the given key as an environment variable set to
+ * the provided value. If a value already exists, it is overwritten and an
+ * warning is emitted.
+ *
+ * @param key Environment variable key.
+ * @param value Environment variable value.
+ */
+function exportVariableAndWarn(key: string, value: string) {
+  const existing = process.env[key];
+  if (existing) {
+    const old = JSON.stringify(existing);
+    logWarning(`Overwriting existing environment variable ${key} (was: ${old})`);
+  }
+
+  exportVariable(key, value);
+}
+
 run();