ci: migrate GCP auth to keyless Workload Identity Federation#456
Open
tsavo-at-pieces wants to merge 2 commits into
Open
ci: migrate GCP auth to keyless Workload Identity Federation#456tsavo-at-pieces wants to merge 2 commits into
tsavo-at-pieces wants to merge 2 commits into
Conversation
Replace the static GCP service-account key (GCP_CREDENTIALS) with keyless
Workload Identity Federation, per the org-wide incident remediation. The
static key behind GCP_CREDENTIALS was leaked and deleted, breaking CI.
- build.yaml: auth step now uses google-github-actions/auth@v3 with
workload_identity_provider + service_account (no credentials_json), and
adds id-token: write / contents: read permissions to the push-build job.
- Fix undeclared `project_id` input: the auth step referenced
${{ inputs.project_id }} which was never declared (resolved to empty).
Pin project_id to integration-server-326115 (home of the CI SA and the
app-releases-* GCS buckets).
- Drop the now-unused credentials_json secret from build.yaml and remove
the GCP_CREDENTIALS pass-through from staging.yaml and release.yaml.
Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Migrates the repo’s CI GCP authentication from a static service-account key to keyless Workload Identity Federation (OIDC) to restore GCS uploads in the build pipeline.
Changes:
- Switches the build workflow’s GCP auth step to
google-github-actions/auth@v3usingworkload_identity_provider+service_account(no JSON key). - Removes the
credentials_json/GCP_CREDENTIALSpass-through from staging and release workflow callers. - Adds explicit job permissions intended to enable OIDC token minting for the upload job.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/staging.yaml | Stops passing GCP_CREDENTIALS into the reusable build workflow. |
| .github/workflows/release.yaml | Stops passing GCP_CREDENTIALS into the reusable build workflow. |
| .github/workflows/build.yaml | Updates Google auth to WIF (OIDC) and adds job permissions for the GCP upload job. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
14
to
18
| secrets: | ||
| access_token: ${{ secrets.GITHUB_TOKEN }} | ||
| pypi_token: ${{ secrets.PYPI_TOKEN }} | ||
| pypi_test_token: ${{ secrets.PYPI_TEST_TOKEN }} | ||
| ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }} |
Comment on lines
13
to
17
| secrets: | ||
| access_token: ${{ secrets.GITHUB_TOKEN }} | ||
| pypi_token: ${{ secrets.PYPI_TOKEN }} | ||
| pypi_test_token: ${{ secrets.PYPI_TEST_TOKEN }} | ||
| ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }} |
Comment on lines
+348
to
+350
| permissions: | ||
| id-token: write | ||
| contents: read |
The reusable build.yaml requests id-token: write for WIF auth, but a
called workflow's token is capped by the caller. staging.yaml and
release.yaml had no permissions block on the build job, so id-token
defaulted to none and push-build OIDC auth would fail with
"requesting 'id-token: write', but is only allowed 'id-token: none'".
Add permissions: { id-token: write, contents: read } to the calling job
in both, matching the builds_client/builds_server pattern.
Co-authored-by: Cursor <cursoragent@cursor.com>
mark-at-pieces
approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrates this repo's CI from a static GCP service-account key to keyless Workload Identity Federation (WIF), as part of the org-wide incident remediation.
The static key behind the
GCP_CREDENTIALSsecret (SAgithub-actions@integration-server-326115.iam.gserviceaccount.com) was leaked and deleted, so thepush-buildjob's GCS uploads are currently broken. This restores them keylessly.What changed
build.yamlauth step →google-github-actions/auth@v3usingworkload_identity_provider+service_account(nocredentials_json), matching thebuilds_serverreference (PRs 🧩 Refactor 🧩 #19/Fix: Resolve more errors so the cli runs #20).permissions: { id-token: write, contents: read }to thepush-buildjob (required for OIDC token minting).project_idinput bug: the auth step referenced${{ inputs.project_id }}, butproject_idwas never declared as a workflow input (onlydeploywas), so it silently resolved to empty. Now pinned tointegration-server-326115— the home project of the CI SA and theapp-releases-production/app-releases-stagingGCS buckets.credentials_jsonsecret frombuild.yamland theGCP_CREDENTIALSpass-through fromstaging.yamlandrelease.yaml.GCP backing changes (already applied)
roles/iam.workloadIdentityUserbinding added on the CI SA forprincipalSet://.../attribute.repository/pieces-app/cli-agent(providerprojects/497784144587/.../github-pool/providers/github-provider).gsutil(no Cloud Run / Artifact Registry / image deploy).The
GCP_CREDENTIALSrepo secret is intentionally left in place (not deleted) and can be removed once this is verified.Test plan
Staging(push tomain/feat-headless) and confirm thepush-buildjob authenticates via WIF andgcloud infoshows the impersonated SA.gsutil cpuploads togs://app-releases-staging/...succeed.Release→ production bucket uploads.Made with Cursor