Github Actions use Google Credentials

To avoid an issue with google go sdk leaking goroutines we need to ensure it has a proper credential file which avoids it looking up metadata from the GCE metadata endpoints. See: googleapis/google-cloud-go#5430
viamrobotics · Aug 9, 2022 · 5c1c007 · 5c1c007
1 parent 43049f5
commit 5c1c007
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 3 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -41,3 +41,4 @@ jobs:
     secrets:
       REPO_READ_TOKEN: ${{ secrets.REPO_READ_TOKEN }}
       GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }}
+      ARTIFACT_READ_ONLY_GCP_CREDENTIALS: ${{ secrets.ARTIFACT_READ_ONLY_GCP_CREDENTIALS }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -23,6 +23,7 @@ jobs:
     secrets:
       REPO_READ_TOKEN: ${{ secrets.REPO_READ_TOKEN }}
       GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }}
+      ARTIFACT_READ_ONLY_GCP_CREDENTIALS: ${{ secrets.ARTIFACT_READ_ONLY_GCP_CREDENTIALS }}
 
   appimage:
     needs: test

diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
@@ -16,10 +16,11 @@ on:
 
 jobs:
   test:
-    uses: viamrobotics/rdk/.github/workflows/test.yml@main
+    uses: viamrobotics/rdk/.github/workflows/test.yml@support-credentials
     secrets:
       REPO_READ_TOKEN: ${{ secrets.REPO_READ_TOKEN }}
       GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }}
+      ARTIFACT_READ_ONLY_GCP_CREDENTIALS: ${{ secrets.ARTIFACT_READ_ONLY_GCP_CREDENTIALS }}
 
   # This lets people add an "appimage" tag to have appimages built for the PR
   appimage:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,9 +8,12 @@ on:
         required: true
       GIT_ACCESS_TOKEN:
         required: true
+      ARTIFACT_READ_ONLY_GCP_CREDENTIALS:
+        required: true
 
 env:
   GOPRIVATE: "github.com/viamrobotics/*,go.viam.com/*"
+  GOOGLE_APPLICATION_CREDENTIALS_FILENAME: "google-credentials.json"
 
 jobs:
   build_and_test:
@@ -38,6 +41,21 @@ jobs:
       with:
         fetch-depth: 2
 
+    - name: Authorize GCP
+      uses: google-github-actions/auth@v0.4.3
+      with:
+        credentials_json: '${{ secrets.ARTIFACT_READ_ONLY_GCP_CREDENTIALS }}'
+        create_credentials_file: true
+        export_environment_variables: true
+
+    - name: Move GCP Credential to a known file
+      run: |
+        NEW_GOOGLE_APPLICATION_CREDENTIALS=`dirname ${GOOGLE_APPLICATION_CREDENTIALS}`/${GOOGLE_APPLICATION_CREDENTIALS_FILENAME}
+        mv ${GOOGLE_APPLICATION_CREDENTIALS} ${NEW_GOOGLE_APPLICATION_CREDENTIALS}
+        echo "GOOGLE_APPLICATION_CREDENTIALS=${NEW_GOOGLE_APPLICATION_CREDENTIALS}" >> $GITHUB_ENV
+        echo "GOOGLE_GHA_CREDS_PATH=${NEW_GOOGLE_APPLICATION_CREDENTIALS}" >> $GITHUB_ENV
+        echo "CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${NEW_GOOGLE_APPLICATION_CREDENTIALS}" >> $GITHUB_ENV
+
     - name: Configure git for private repos
       run: |
         sudo -u testbot bash -lc 'echo "machine github.com login viambot password ${{ secrets.REPO_READ_TOKEN }}" > ~/.netrc'
@@ -59,7 +77,7 @@ jobs:
     - name: Test
       if: matrix.platform == 'linux/amd64'
       run: |
-        sudo -u testbot bash -lc 'make cover test-web'
+        sudo --preserve-env=GOOGLE_APPLICATION_CREDENTIALS -u testbot bash -lc 'make cover test-web'
 
     - name: Code Coverage Summary Report
       if: matrix.platform == 'linux/amd64'
@@ -100,6 +118,21 @@ jobs:
       with:
         fetch-depth: 2
 
+    - name: Authorize GCP
+      uses: google-github-actions/auth@v0.4.3
+      with:
+        credentials_json: '${{ secrets.ARTIFACT_READ_ONLY_GCP_CREDENTIALS }}'
+        create_credentials_file: true
+        export_environment_variables: true
+
+    - name: Move GCP Credential to a known file
+      run: |
+        NEW_GOOGLE_APPLICATION_CREDENTIALS=`dirname ${GOOGLE_APPLICATION_CREDENTIALS}`/${GOOGLE_APPLICATION_CREDENTIALS_FILENAME}
+        mv ${GOOGLE_APPLICATION_CREDENTIALS} ${NEW_GOOGLE_APPLICATION_CREDENTIALS}
+        echo "GOOGLE_APPLICATION_CREDENTIALS=${NEW_GOOGLE_APPLICATION_CREDENTIALS}" >> $GITHUB_ENV
+        echo "GOOGLE_GHA_CREDS_PATH=${NEW_GOOGLE_APPLICATION_CREDENTIALS}" >> $GITHUB_ENV
+        echo "CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${NEW_GOOGLE_APPLICATION_CREDENTIALS}" >> $GITHUB_ENV
+
     - name: Clean
       run: make clean-all
 

diff --git a/.gitignore b/.gitignore
@@ -66,3 +66,6 @@ bin/
 
 # exclude files from `ag` search
 .ignore
+
+# exclude credential created during CI
+google-credentials.json
diff --git a/Makefile b/Makefile
@@ -76,7 +76,7 @@ test-web: build-web
 # test.short skips tests requiring external hardware (motors/servos)
 test-pi:
 	go test -c -o $(BIN_OUTPUT_PATH)/test-pi go.viam.com/rdk/component/board/pi/impl
-	sudo $(BIN_OUTPUT_PATH)/test-pi -test.short -test.v
+	sudo --preserve-env=GOOGLE_APPLICATION_CREDENTIALS $(BIN_OUTPUT_PATH)/test-pi -test.short -test.v
 
 server:
 	go build $(LDFLAGS) -o $(BIN_OUTPUT_PATH)/server web/cmd/server/main.go