cicd/login-action
1
0
Fork 0
mirror of https://github.com/docker/login-action.git synced 2025-10-31 18:20:10 +08:00
Code Issues Projects Wiki Activity

update docs for workload identity federation with GAR

Browse Source 
this is a last mile doc improvement for
https://github.com/docker/login-action/issues/640.

it clarifies how to use direct identity federation in GAR without a
service account using `google-github-actions/auth@v2`.

Signed-off-by: David Montoya <davidmontoyago@gmail.com>
This commit is contained in:
David Montoya 2025-07-09 13:05:18 -05:00
parent 3d100841f6
commit 8852fa90d2
No known key found for this signature in database
GPG Key ID: DF77A5C8C7923E6F
1 changed files with 17 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@ -227,8 +227,9 @@ You can authenticate with workload identity federation or a service account.
#### Workload identity federation #### Workload identity federation
Your service account must have permission to push to GAR. Use the Configure [Direct Workload Identity Federation](https://github.com/google-github-actions/auth/blob/v2.1.10/README.md#preferred-direct-workload-identity-federation) for GitHub Actions in Google Cloud and avoid long-lived GCP credentials.
`google-github-actions/auth` action to authenticate using workload identity as Make sure to grant the [principal identity](https://cloud.google.com/iam/docs/workload-identity-federation#principal-types) enough permissions to the GAR repository (E.g.: `roles/artifactregistry.writer`).
Use the `google-github-actions/auth@v2` action to authenticate using workload identity as
shown in the following example: shown in the following example:
```yaml ```yaml
@ -238,6 +239,11 @@ on:
push: push:
branches: main branches: main
env:
GCP_PROJECT: ${{ secrets.GCP_PROJECT }}
WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
jobs: jobs:
login: login:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -245,28 +251,23 @@ jobs:
- -
name: Authenticate to Google Cloud name: Authenticate to Google Cloud
id: auth id: auth
uses: google-github-actions/auth@v1 uses: google-github-actions/auth@v2
with: with:
token_format: access_token project_id: ${{ env.GCP_PROJECT }}
workload_identity_provider: <workload_identity_provider> workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
service_account: <service_account>
- -
name: Login to GAR name: Login to Google Artifact Registry
uses: docker/login-action@v3 uses: docker/login-action@v3
with: with:
registry: <location>-docker.pkg.dev registry: ${{ env.REGISTRY_URL}}
username: oauth2accesstoken username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }} password: ${{ steps.auth.outputs.auth_token }}
``` ```
> Replace `<workload_identity_provider>` with configured workload identity > Set `WORKLOAD_IDENTITY_PROVIDER` to the configured workload identity provider. For steps to configure, [see here](https://github.com/google-github-actions/auth/blob/v2.1.10/README.md#inputs).
> provider
> Replace `<service_account>` with configured service account in workload > Set `REGISTRY_URL` to the regional or multi-regional [repository URL](https://cloud.google.com/artifact-registry/docs/repo-organize#locations).
> identity provider which has access to push to GCR
> Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations)
> of the repository where the image is stored.
#### Service account based authentication #### Service account based authentication