From fc5ee9527687459b6dab40678cc4725f790f2c38 Mon Sep 17 00:00:00 2001 From: Rustie Lin Date: Wed, 18 Jun 2025 15:00:52 -0700 Subject: [PATCH] [gha] fix artifactregistry login --- .github/workflows/ci.yml | 26 +++++++++++++++++++++++--- package.json | 3 ++- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 52469a822..33f399bbe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,8 +5,10 @@ on: branches: - main pull_request: - branches: - - main + +permissions: + contents: read + id-token: write #required for GCP Workload Identity federation which we use to login into Google Artifact Registry jobs: lint: @@ -14,13 +16,31 @@ jobs: steps: - uses: actions/checkout@v4 + - uses: pnpm/action-setup@v4 with: version: 9.15.1 + - uses: actions/setup-node@v4 with: node-version: '23' cache: 'pnpm' registry-url: "https://registry.npmjs.org" - - run: pnpm install --frozen-lockfile + + - name: Authenticate to Google Cloud + uses: google-github-actions/auth@v2 + with: + workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ vars.GCP_SERVICE_ACCOUNT_EMAIL }} + create_credentials_file: true # This exports the GOOGLE_APPLICATION_CREDENTIALS env var which is commonly used by CLIs + project_id: aptos-registry + + - name: Login to GCP Artifact Registry + run: pnpm artifactregistry-login + env: + GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.create_credentials_file.outputs.credentials_file }} + + - name: Install Dependencies + run: pnpm install --frozen-lockfile + - run: pnpm lint diff --git a/package.json b/package.json index c8be2ebb2..9dc34ab28 100644 --- a/package.json +++ b/package.json @@ -6,7 +6,8 @@ "dev": "turbo dev", "lint": "turbo lint", "fmt": "turbo run fmt", - "spellcheck": "turbo run spellcheck" + "spellcheck": "turbo run spellcheck", + "artifactregistry-login": "pnpm dlx google-artifactregistry-auth" }, "dependencies": { "turbo": "2.5.0"