An input that overrides the env.GITHUB_WORKSPACE used as the path for storing the resulting credentials. This conflicts with checks that look for changed / uncommitted files and for use-cases where actions/checkout is run an additional time later in the job or in a nested composite action later.
Add an input for credentials_path that overrides the use of env.GITHUB_WORKSPACE to be a configurable base path.
Lines 180 to 184 in 23620af
The workspace defaults to /home/runner/work/{{ repo }}/{{ repo }} and that is also where code is checked out. There is some risk that the creds file gets committed to the repo if the user has an action that does git add . or similar.
Example config:
jobs:
job_id:
# ...
# Add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
steps:
# actions/checkout MUST come before auth
- uses: 'actions/[email protected]'
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/[email protected]'
with:
credentials_path: '/home/runner/work/.config/gcloud/'
service_account: '[email protected]'No response
Hi there @mbrancato
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
hey @sethvargo - while path output is mentioned in the README and TROUBLESHOOTING documentation, they do not address my issue. The concern that the creds file is deleted in a later action because an additional invocation of the checkout action.
Again, the issue is a secondary checkout overwrites the creds file because it is in the default checkout path and the checkout action cleans the folder by default. The .gitignore issue is secondary and not really relevant to the problem here.
Our work-around is to move the creds file after it is created and update the env vars.
https://github.com/actions/checkout/blob/ac593985615ec2ede58e132d2e21d2b1cbd6127c/action.yml#L53-L55
I'm not sure I follow:
This conflicts with checks that look for changed / uncommitted files...
This is the exact use case I described above.
...and for use-cases where actions/checkout is run an additional time later in the job or in a nested composite action later.
You can always run the auth action again, which I would definitely recommend doing in composite actions. It feels weird that your composite action would assume authentication existed (but not assume that a checkout existed). You can also use path on the checkout action to check out to a different path.
You're free to move or rename the creds outside of the default path, but this introduces a security risk for self-hosted runners, so we intentionally don't expose such functionality in the package.
| Owner Name | google-github-actions |
| Repo Name | auth |
| Full Name | google-github-actions/auth |
| Language | TypeScript |
| Created Date | 2021-09-16 |
| Updated Date | 2023-03-24 |
| Star Count | 573 |
| Watcher Count | 16 |
| Fork Count | 116 |
| Issue Count | 3 |
| Issue Title | Created Date | Updated Date |
|---|