Github Actions use Google Credentials (#1140)

To avoid an issue with google go sdk leaking goroutines we need to ensure it has a proper credential file which avoids it looking up metadata from the GCE metadata endpoints. See: googleapis/google-cloud-go#5430
viamrobotics · Aug 10, 2022 · c6f9fb5 · c6f9fb5
1 parent 5669bd5
commit c6f9fb5
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 2 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -41,3 +41,4 @@ jobs:
     secrets:
       REPO_READ_TOKEN: ${{ secrets.REPO_READ_TOKEN }}
       GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }}
+      ARTIFACT_READ_ONLY_GCP_CREDENTIALS: ${{ secrets.ARTIFACT_READ_ONLY_GCP_CREDENTIALS }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -23,6 +23,7 @@ jobs:
     secrets:
       REPO_READ_TOKEN: ${{ secrets.REPO_READ_TOKEN }}
       GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }}
+      ARTIFACT_READ_ONLY_GCP_CREDENTIALS: ${{ secrets.ARTIFACT_READ_ONLY_GCP_CREDENTIALS }}
 
   appimage:
     needs: test

diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
@@ -20,6 +20,7 @@ jobs:
     secrets:
       REPO_READ_TOKEN: ${{ secrets.REPO_READ_TOKEN }}
       GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }}
+      ARTIFACT_READ_ONLY_GCP_CREDENTIALS: ${{ secrets.ARTIFACT_READ_ONLY_GCP_CREDENTIALS }}
 
   # This lets people add an "appimage" tag to have appimages built for the PR
   appimage:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,9 +8,12 @@ on:
         required: true
       GIT_ACCESS_TOKEN:
         required: true
+      ARTIFACT_READ_ONLY_GCP_CREDENTIALS:
+        required: true
 
 env:
   GOPRIVATE: "github.com/viamrobotics/*,go.viam.com/*"
+  GOOGLE_APPLICATION_CREDENTIALS_FILENAME: "google-credentials.json"
 
 jobs:
   build_and_test:
@@ -38,6 +41,12 @@ jobs:
       with:
         fetch-depth: 2
 
+    - name: Create GCP Credential File from secret
+      run: |
+        GOOGLE_APPLICATION_CREDENTIALS=`pwd`/${GOOGLE_APPLICATION_CREDENTIALS_FILENAME}
+        echo "${{ secrets.ARTIFACT_READ_ONLY_GCP_CREDENTIALS }}" >> ${GOOGLE_APPLICATION_CREDENTIALS}
+        echo "GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_APPLICATION_CREDENTIALS}" >> $GITHUB_ENV
+
     - name: Configure git for private repos
       run: |
         sudo -u testbot bash -lc 'echo "machine github.com login viambot password ${{ secrets.REPO_READ_TOKEN }}" > ~/.netrc'
@@ -59,7 +68,7 @@ jobs:
     - name: Test
       if: matrix.platform == 'linux/amd64'
       run: |
-        sudo -u testbot bash -lc 'make cover test-web'
+        sudo --preserve-env=GOOGLE_APPLICATION_CREDENTIALS -u testbot bash -lc 'make cover test-web'
 
     - name: Code Coverage Summary Report
       if: matrix.platform == 'linux/amd64'
@@ -100,6 +109,12 @@ jobs:
       with:
         fetch-depth: 2
 
+    - name: Create GCP Credential File from secret
+      run: |
+        GOOGLE_APPLICATION_CREDENTIALS=`pwd`/${GOOGLE_APPLICATION_CREDENTIALS_FILENAME}
+        echo "${{ secrets.ARTIFACT_READ_ONLY_GCP_CREDENTIALS }}" >> ${GOOGLE_APPLICATION_CREDENTIALS}
+        echo "GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_APPLICATION_CREDENTIALS}" >> $GITHUB_ENV
+
     - name: Clean
       run: make clean-all
 

diff --git a/.gitignore b/.gitignore
@@ -66,3 +66,6 @@ bin/
 
 # exclude files from `ag` search
 .ignore
+
+# exclude credential created during CI
+google-credentials.json
diff --git a/Makefile b/Makefile
@@ -77,7 +77,7 @@ test-web: build-web
 # test.short skips tests requiring external hardware (motors/servos)
 test-pi:
 	go test -c -o $(BIN_OUTPUT_PATH)/test-pi go.viam.com/rdk/component/board/pi/impl
-	sudo $(BIN_OUTPUT_PATH)/test-pi -test.short -test.v
+	sudo --preserve-env=GOOGLE_APPLICATION_CREDENTIALS $(BIN_OUTPUT_PATH)/test-pi -test.short -test.v
 
 server:
 	go build $(LDFLAGS) -o $(BIN_OUTPUT_PATH)/server web/cmd/server/main.go