-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathaction.yaml
70 lines (67 loc) · 2.66 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Setup Custard
description: Sets up the Custard testing environment.
inputs:
path:
description: Path of the package to run.
required: true
ci-setup:
description: The CI setup for the package path.
required: true
project-id:
description: The Google Cloud project ID.
required: false
workload-identity-provider:
description: The Google Cloud workload identity provider.
required: false
service-account:
description: The Google Cloud service account to use for credentials.
required: false
runs:
using: composite
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Authenticate
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2
if: inputs.project-id && inputs.workload-identity-provider && inputs.service-account
id: auth
with:
project_id: ${{ inputs.project-id }}
workload_identity_provider: ${{ inputs.workload-identity-provider }}
service_account: ${{ inputs.service-account }}
access_token_lifetime: 600s # 10 minutes
token_format: id_token
id_token_audience: https://action.test/ # service must have this custom audience
id_token_include_email: true
- name: Export environment variables
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
id: vars
with:
script: |
const { default: setupVars } = await import('${{ github.workspace }}/.github/scripts/setup-vars.js');
return await setupVars({
core,
projectId: '${{ inputs.project-id }}',
setup: ${{ inputs.ci-setup }},
serviceAccount: '${{ inputs.service-account }}',
idToken: '${{ steps.auth.outputs.id_token }}',
})
- name: Fetch secrets
uses: google-github-actions/get-secretmanager-secrets@e5bb06c2ca53b244f978d33348d18317a7f263ce # v2
if: ${{ fromJson(steps.vars.outputs.result).secrets }}
with:
secrets: ${{ fromJson(steps.vars.outputs.result).secrets }}
export_to_environment: true