Last week service_account_key deprecation broke our pipelines. Would it be possible for you to cut a release? so we can pin our version to a version that works with gcloud functions deploy ... .
Last week service_account_key deprecation broke our pipelines. We have updated our use of google-github-actions/setup-gcloud to v0.2.1.
- uses: google-github-actions/[email protected]
with:
version: 'latest'
service_account_key: ${{ secrets.KEY }}
- uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.KEY }}
- uses: google-github-actions/[email protected]
However pinning to google-github-actions/[email protected] and using the gcloud functions deploy cli in our deploy scripts causes the following error:
ServiceException: 401 Anonymous caller does not have storage.objects.create access to the Google Cloud Storage object.
If we update google-github-actions/setup-gcloud to master the error goes away and our GitHub actions work as intended.
- uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.KEY }}
- uses: google-github-actions/[email protected]
So we are back at square one. In an ideal world we would like to pin google-github-actions/setup-gcloud to a version that works with gcloud functions deploy to avoid us having our pipeline breaking again. We can then manage updating our Action versions separately.
Would it be possible for you to cut a release from your current master branch and then we can pin google-github-actions/setup-gcloud to this version?
Many Thanks
I also feel this question is slightly different than #339 and could potentially involve a v0.2.2 release that contains a fix for the gcloud functions deploy not working in v0.2.1
Interested to hear your thoughts
Hi @feedmypixel
Even though its deprecated, the intention is for service_account_key to continue working for a long time before we remove that functionality.
Can you please share your full GitHub Actions YAML so we can try to reproduce your issue and bring back backwards-compatability?
@sethvargo I have an example of this, too -- in cloud-spanner-r2dbc.
Scheduled integration test run failed with:
Run google-github-actions/[email protected]
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/2353957e-1d49-417e-ac61-fbc315730fa9 -f /home/runner/work/_temp/9459883d-ecf6-41a7-b647-48df0211d9fa
Successfully set default project
Warning: "service_account_key" has been deprecated. Please switch to using google-github-actions/auth which supports both Workload Identity Federation and Service Account Key JSON authentication. For more details, see https://github.com/google-github-actions/setup-gcloud#authorization
Error: google-github-actions/setup-gcloud failed with: The process '/opt/hostedtoolcache/gcloud/365.0.1/x64/bin/gcloud' failed with exit code 1
@sethvargo unfortunately I can't share the entire .github/worfkflows due to NDA and us being a private repo.
But this should give you enough to reproduce the problem.
name: Deploy
on:
push:
branches:
- master
- main
env:
GITHUB_SHA: ${{ github.sha }}
jobs:
setup-deploy:
name: Setup Deploy
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
# this will build the app and zip it, to then be uploaded in the deploy script
- name: Build Zip
run: |
sh ./build.sh
- name: Setup GCP Auth
uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.KEY }}
- uses: google-github-actions/[email protected]
- name: Deploy to X environment
run: |
sh ./deploy.sh x-env
#!/bin/sh
set -eu
IFS=$'\n\t'
SERVICE_APPLICATION_NAME="example-application-name"
VERSION="example-version"
GCP_PROJECT_ID=$1
GCP_REPOSITORY_HOST="example-host"
GCP_FUNCTION_ZIP="$SERVICE_APPLICATION_NAME-$VERSION.zip"
GCP_FUNCTION_REPOSITORY="$GCP_PROJECT_ID-$SERVICE_APPLICATION_NAME-function"
echo "Copying $GCP_FUNCTION_ZIP to storage gs://$GCP_FUNCTION_REPOSITORY"
gsutil cp "$GCP_FUNCTION_ZIP" "gs://$GCP_FUNCTION_REPOSITORY"
echo "Deploying $GCP_FUNCTION_ZIP to function $SERVICE_APPLICATION_NAME on environment $GCP_PROJECT_ID"
gcloud functions deploy "$SERVICE_APPLICATION_NAME" --source="gs://$GCP_FUNCTION_REPOSITORY/$GCP_FUNCTION_ZIP" \
--project "$GCP_PROJECT_ID" \
--entry-point entryPoint \
--runtime nodejs14 \
--region example-region
With google-github-actions/[email protected] set to v0.2.1. This gives us the error:
ServiceException: 401 Anonymous caller does not have storage.objects.create access to the Google Cloud Storage object.
name: Deploy
on:
push:
branches:
- master
- main
env:
GITHUB_SHA: ${{ github.sha }}
jobs:
setup-deploy:
name: Setup Deploy
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
# this will build the app and zip it, to then be uploaded in the deploy script
- name: Build Zip
run: |
sh ./build.sh
- name: Setup GCP Auth
uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.KEY }}
- uses: google-github-actions/[email protected]
- name: Deploy to X environment
run: |
sh ./deploy.sh x-env
#!/bin/sh
set -eu
IFS=$'\n\t'
SERVICE_APPLICATION_NAME="example-application-name"
VERSION="example-version"
GCP_PROJECT_ID=$1
GCP_REPOSITORY_HOST="example-host"
GCP_FUNCTION_ZIP="$SERVICE_APPLICATION_NAME-$VERSION.zip"
GCP_FUNCTION_REPOSITORY="$GCP_PROJECT_ID-$SERVICE_APPLICATION_NAME-function"
echo "Copying $GCP_FUNCTION_ZIP to storage gs://$GCP_FUNCTION_REPOSITORY"
gsutil cp "$GCP_FUNCTION_ZIP" "gs://$GCP_FUNCTION_REPOSITORY"
echo "Deploying $GCP_FUNCTION_ZIP to function $SERVICE_APPLICATION_NAME on environment $GCP_PROJECT_ID"
gcloud functions deploy "$SERVICE_APPLICATION_NAME" --source="gs://$GCP_FUNCTION_REPOSITORY/$GCP_FUNCTION_ZIP" \
--project "$GCP_PROJECT_ID" \
--entry-point entryPoint \
--runtime nodejs14 \
--region example-region
@feedmypixel I believe the issue is
- uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.KEY }}
- uses: google-github-actions/[email protected]
[email protected] does not understand how to handle auth setup via google-github-actions/auth. I will tag a new release and update the readme.
@bharathkkb great stuff, many thanks
@bharathkkb to wrap up, using the following is working for us:
- name: Set up GCP Auth
uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.KEY }}
- uses: google-github-actions/[email protected]
| Owner Name | google-github-actions |
| Repo Name | setup-gcloud |
| Full Name | google-github-actions/setup-gcloud |
| Language | TypeScript |
| Created Date | 2019-11-05 |
| Updated Date | 2023-03-23 |
| Star Count | 1505 |
| Watcher Count | 65 |
| Fork Count | 548 |
| Issue Count | 11 |
| Issue Title | Created Date | Updated Date |
|---|