Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

export_default_credentials should place credentials outside of the workspace

See original GitHub issue

TL;DR

GOOGLE_APPLICATION_CREDENTIALS should be stored in the action temporary directory, not in the checked out repository. Doing so creates a dirty git state.

Expected behavior git state is not dirty after exporting GOOGLE_APPLICATION_CREDENTIALS.

Observed behavior git state is dirty and shows up in automatic version detection and other release automation tools. https://goreleaser.com/, for instance, will hard fail if git state is dirty during a non-snapshot release.

Reproduction

Action YAML

name: Release

on:
  release:
    types:
      - published

jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Unshallow
        run: git fetch --prune --unshallow

      - name: Set up Go
        uses: actions/setup-go@v1
        with:
          go-version: 1.14.x

      - uses: GoogleCloudPlatform/github-actions/setup-gcloud@master
        with:
          project_id: myproject
          service_account_key: ${{ secrets.GCP_SERVICE_ACCOUNT }}
          export_default_credentials: true

      - name: Gcloud login
        run: gcloud auth configure-docker

      - name: Check git status
        run: git status

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v1
        with:
          version: latest
          args: release --config .github/goreleaser.yaml
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Repository

https://github.com/pomerium/pomerium/runs/891636795#step:9:31

Additional information No

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:5 (2 by maintainers)

Top GitHub Comments

2reactions

ViacheslavKudinovcommented, Jul 22, 2020

Hi @sethvargo As I see GH actions do not mount /home/runner/work/_temp/uuidv inside Docker based actions. After this change, I have lost the ability to use a file with GCP JSON key inside my Docker container. Previously it was process.env.GITHUB_WORKSPACE which is mounted inside Docker container as volume and I had the path to GCP key inside GOOGLE_APPLICATION_CREDENTIALS variable during execution of GH action.

0reactions

travisgrothcommented, Jul 21, 2020

👍

Top Results From Across the Web

How Application Default Credentials works | Authentication

This command places a JSON file containing your credentials in a well-known location on your file system. The location depends on your operating...

Credentials Binding Plugin - Jenkins

Allows various kinds of credentials (secrets) to be used in idiosyncratic ways. (Some steps explicitly ask for credentials of a particular kind, ...

Manage Credentials - Tableau Help

Saved credentials enable you to connect to a data source without being prompted for your credentials. The credentials saved for your connection can...

Use external tables with Synapse SQL - Azure - Microsoft Learn

Hadoop external tables that you can use to read and export data in ... database scoped credential can specify workspace Managed Identity, ...

View alert details - Google Workspace Admin Help

From your list of alerts in the alert center, you can drill down to view more details about individual alerts. Each alert type...