feat: add WIF docs, add warning for credentials input (#194)

fix debug, readme

fix url

.github/workflows/deploy-cf-it.yml

@@ -6,6 +6,10 @@ on:
     - 'main'
   pull_request:
 
+concurrency:
+  group: '${{ github.head_ref || github.ref }}-it'
+  cancel-in-progress: true
+
 jobs:
   gcloud:
     if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
@@ -182,3 +186,45 @@ jobs:
     - name: Catch failure
       run: |-
         if [ ${{ steps.deploy.outcome }} != 'failure' ]; then exit 1; fi
+  wif:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
+    name: with wif
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: google-github-actions/auth@main
+      with:
+        workload_identity_provider: ${{ secrets.WIF_PROVIDER_NAME }}
+        service_account: ${{ secrets.DEPLOY_CF_SA_EMAIL }}
+    - id: build
+      name: Build dist
+      run: |-
+        npm install
+        npm run build
+    - id: deploy
+      uses: ./
+      with:
+        name: wif-http-${{ github.run_number }}
+        runtime: nodejs10
+        entry_point: helloWorld
+        source_dir: ./tests/test-node-func/
+    - uses: actions/setup-node@master
+      with:
+        node-version: 12.x
+    - uses: google-github-actions/setup-gcloud@master # Set up ADC to make authenticated request to service
+      with:
+        service_account_email: ${{ secrets.DEPLOY_CF_SA_EMAIL }}
+        service_account_key: ${{ secrets.DEPLOY_CF_SA_KEY_JSON }}
+        export_default_credentials: true
+    - name: integration tests
+      run: npm run e2e-tests
+      env:
+        URL: ${{ steps.deploy.outputs.url }}
+    - name: integration test clean up
+      run: npm run cleanup
+      env:
+        DEPLOY_CF_SA_KEY_JSON: ${{ secrets.DEPLOY_CF_SA_KEY_JSON }}
+        CF_NAME: projects/${{ secrets.DEPLOY_CF_PROJECT_ID }}/locations/us-central1/functions/wif-http-${{ github.run_number }}

.github/workflows/deploy-cf-unit.yml

@@ -2,6 +2,10 @@ name: deploy-cloud-functions Unit
 
 on: [push, pull_request]
 
+concurrency:
+  group: '${{ github.head_ref || github.ref }}-unit'
+  cancel-in-progress: true
+
 jobs:
   run:
     name: test

README.md

@@ -32,12 +32,16 @@ Cloud Function. See the Authorization section below for more information.
 ```yaml
 steps:
 - uses: actions/checkout@v2
+- id: auth
+  uses: google-github-actions/auth@v0.4.0
+  with:
+    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+    service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
 - id: deploy
-  uses: google-github-actions/deploy-cloud-functions@main
+  uses: google-github-actions/deploy-cloud-functions@v0.6.0
   with:
     name: my-function
     runtime: nodejs10
-    credentials: ${{ secrets.gcp_credentials }}
 
 # Example of using the output
 - id: test
@@ -56,11 +60,6 @@ steps:
 
 - `region`: (Optional) [Region](https://cloud.google.com/functions/docs/locations) in which the function should be deployed. Defaults to `us-central1`.
 
-- `credentials`: (Optional) Service account key to use for authentication. This should be
-  the JSON formatted private key which can be exported from the Cloud Console. The
-  value can be raw or base64-encoded. Required if not using a the
-  `setup-gcloud` action with exported credentials.
-
 - `env_vars`: (Optional) List of key-value pairs to set as environment variables in the format:
   `KEY1=VALUE1,KEY2=VALUE2`. All existing environment variables will be
   removed, even if this parameter is not passed.
@@ -96,6 +95,11 @@ steps:
 
 - `deploy_timeout`: (Optional) The function deployment timeout in seconds. Defaults to 300.
 
+- `credentials`: (**Deprecated**) This input is deprecated. See [auth section](https://github.com/google-github-actions/deploy-cloud-functions#via-google-github-actionsauth) for more details.
+  Service account key to use for authentication. This should be
+  the JSON formatted private key which can be exported from the Cloud Console. The
+  value can be raw or base64-encoded.
+
 ## Allow unauthenticated requests
 
 A Cloud Functions product recommendation is that CI/CD systems not set or change
@@ -122,36 +126,40 @@ This service account needs to be a member of the `App Engine default service acc
 `Service Account User` (`roles/iam.serviceAccountUser`). See [additional configuration for deployment](https://cloud.google.com/functions/docs/reference/iam/roles#additional-configuration)
 for further instructions.
 
-### Used with `setup-gcloud`
+### Via google-github-actions/auth
+
+Use [google-github-actions/auth](https://github.com/google-github-actions/auth) to authenticate the action. You can use [Workload Identity Federation][wif] or traditional [Service Account Key JSON][sa] authentication.
+by specifying the `credentials` input. This Action supports both the recommended [Workload Identity Federation][wif] based authentication and the traditional [Service Account Key JSON][sa] based auth.
 
-You can provide credentials using the [setup-gcloud][setup-gcloud] action:
+See [usage](https://github.com/google-github-actions/auth#usage) for more details.
+
+#### Authenticating via Workload Identity Federation
 
 ```yaml
-- uses: google-github-actions/setup-gcloud@master
-  with:
-    service_account_key: ${{ secrets.GCP_SA_KEY }}
-    export_default_credentials: true
 - uses: actions/checkout@v2
-- id: Deploy
-  uses: google-github-actions/deploy-cloud-functions@main
+- id: auth
+  uses: google-github-actions/auth@v0.4.0
+  with:
+    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+    service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
+- id: deploy
+  uses: google-github-actions/deploy-cloud-functions@v0.6.0
   with:
     name: my-function
     runtime: nodejs10
 ```
 
-### Via Credentials
-
-You can provide [Google Cloud Service Account JSON][sa] directly to the action
-by specifying the `credentials` input. First, create a [GitHub
-Secret][gh-secret] that contains the JSON content, then import it into the
-action:
+#### Authenticating via Service Account Key JSON
 
 ```yaml
 - uses: actions/checkout@v2
-- id: Deploy
-  uses: google-github-actions/deploy-cloud-functions@main
+- id: auth
+  uses: google-github-actions/auth@v0.4.0
+  with:
+    credentials_json: ${{ secrets.gcp_credentials }}
+- id: deploy
+  uses: google-github-actions/deploy-cloud-functions@v0.6.0
   with:
-    credentials: ${{ secrets.GCP_SA_KEY }}
     name: my-function
     runtime: nodejs10
 ```
@@ -166,7 +174,7 @@ only works using a custom runner hosted on GCP.**
 ```yaml
 - uses: actions/checkout@v2
 - id: Deploy
-  uses: google-github-actions/deploy-cloud-functions@main
+  uses: google-github-actions/deploy-cloud-functions@v0.6.0
   with:
     name: my-function
     runtime: nodejs10
@@ -178,6 +186,7 @@ Credentials.
 [cloud-functions]: https://cloud.google.com/functions
 [runtimes]: https://cloud.google.com/sdk/gcloud/reference/functions/deploy#--runtime
 [sm]: https://cloud.google.com/secret-manager
+[wif]: https://cloud.google.com/iam/docs/workload-identity-federation
 [sa]: https://cloud.google.com/iam/docs/creating-managing-service-accounts
 [gh-runners]: https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners
 [gh-secret]: https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets

src/main.ts

@@ -45,6 +45,15 @@ async function run(): Promise<void> {
     const deployTimeout = core.getInput('deploy_timeout');
     const labels = core.getInput('labels');
 
+    // Add warning if using credentials
+    if (credentials) {
+      core.warning(
+        '"credentials" input has been deprecated. ' +
+          'Please switch to using google-github-actions/auth which supports both Workload Identity Federation and JSON Key authentication. ' +
+          'For more details, see https://github.com/google-github-actions/deploy-cloud-functions#authorization',
+      );
+    }
+
     // Create Cloud Functions client
     const client = new CloudFunctionClient(region, { projectId, credentials });