create_credentials_file: true and export_environment_variables: true have unexpected behavior when changing branches

This issue has been tracked since 2022-08-16.

TL;DR

These arguments set environment variables and put the credentials in the same directory as the repo
example: /home/runner/work/source/source/gha-creds-1bf74eacd9558f6f.json

          create_credentials_file: true
          export_environment_variables: true

When I need to check out multiple branches, and switch between branches, the credentials are removed, but the environment variable remains set.

So I get errors like the following:

Initializing the backend...
╷
│ Error: storage.NewClient() failed: dialing: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: open /home/runner/work/source/source/gha-creds-6f2617897edcad1f.json: no such file or directory
│

Additionally the github page outputs the following warnings every time I rerun the auth action:

Overwriting existing environment variable CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE (was: "/home/runner/work/source/source/gha-creds-dbc26c61e25b03d5.json")

My root gitignore has the following set: gha-creds-*.json, but it appears the checkout action removes the entire directory.

As a workaround, anytime I need to switch branches in a single job for a github action I re-run the auth. I would prefer to only have to run auth once per github action job, to prevent errors from human mistakes while iterating on pipelines.

Is there a suggested work around

Expected behavior

The auth pipeline shouldn't have odd interactions with unrelated checkout pipelines, and should auth for all the steps in a given github action job.

Observed behavior

must re-run auth after every checkout.

Action YAML

This pipeline runs certain actions always from `HEAD`, and allows a user to run these actions against a specified SHA in the repo. This behavior allows us to update the actions independent of the test SHA, so that we can maintain backwards compatibility of the pipeline and when new problems are found we can integrate tests to discover them.


name: CI-perf
on:
  workflow_dispatch:
    inputs:
      sha:
        description: 'Git SHA for the afs/source repo to perform the perf pipeline against'
        default: 'main'
      
concurrency:
  group: ci-perf
  
jobs:
  build:
    runs-on: ubuntu-latest


    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
      - name: SHA-codebase
        uses: actions/[email protected]
        with:
          ref: ${{ github.event.inputs.sha }}
          lfs: true
        
      - name: Setup Google Cloud SDK
        uses: 'google-github-actions/[email protected]'
        with:
          project_id: ${{ github.event.inputs.sandbox }}

      - name: 'auth-service-accounts'
        id: auth-service-accounts
        uses: 'google-github-actions/[email protected]'
        with:
          workload_identity_provider: 'EXAMPLE'
          service_account: 'EXAMPLE'
          create_credentials_file: true
          export_environment_variables: true

      - name: obtain-service-accounts
        id: service-accounts
        run: |
           dummy-script.sh
      
      # terraform expects to be ran from the HEAD of the repo     
      - name: setup-infra-checkout
        uses: actions/[email protected]
        with:
          lfs: true

      - name: 'auth-infra'
        id: auth-infra
        uses: 'google-github-actions/[email protected]'
        with:
          workload_identity_provider: 'EXAMPLE'
          service_account: 'EXAMPLE'
          create_credentials_file: true
          export_environment_variables: true

      # if I don't rerun auth, problem will happen here    
      - name: Create Infra
        id: create-infra
        working-directory: perf/infra
        env:
          SERVICE_ACCOUNTS: ${{ steps.service-accounts.outputs.all_service_accounts }}
        run: |
          ./run.sh

Log output

Can apply log output if needed, but this is very easy to replicate.

Additional information

My initial thought is that it would be preferred to have the file be output in a different directory than the checkout directory. As this would reduce the dependency on having to run checkout prior.

sethvargo wrote this answer on 2022-08-16
0

Hi @wimo7083

Thank you for opening an issue. The credentials file must be created inside the workspace because that is the only path that is shared with Docker-based actions by default. If the credential file is put outside of the checkout, it may be inaccessible to other steps and is inaccessible to Docker-based GitHub Actions. Furthermore, on self-hosted runners, storing the credential outside of the checkout poses a security risk, since /tmp and other directories might be readable by other users.

The actions/checkout action does clear the entire directory. This action is managed by GitHub, not us. Is there a reason you can't run git checkout HEAD instead of using the checkout action? That would prevent the directory from being cleared.

The warnings about overwriting environment variables are intentional; they help users understand when a previous configuration has been changed. In this case, it's telling you that the previous authentication is being overwritten.

wimo7083 wrote this answer on 2022-08-16
0

Is there a reason you can't ....

Nope and I can't believe I missed the forest for the trees here.

More Details About Repo
Owner Name google-github-actions
Repo Name auth
Full Name google-github-actions/auth
Language TypeScript
Created Date 2021-09-16
Updated Date 2023-03-24
Star Count 573
Watcher Count 16
Fork Count 116
Issue Count 3

YOU MAY BE INTERESTED

Issue Title Created Date Updated Date

Popular Frameworks
Programming Languages

Copyright © Codesti | Contact