Describe the bug
When using Workload Identity Federation on GitHub Actions, Flank fails because the Google auth token is missing the Google Cloud Project name.
To Reproduce
Steps to reproduce the behavior:
Configure a GitHub actions workflow with Workload Identity Federation via the Google Auth GitHub Action to generate the token for Firebase Test lab
Run the action. (In our case, we're using Fladle)
Expected behavior
Flank fails with a nice error message, e.g. "Google Cloud Project could not be read from the Google Cloud auth token. Please set the GOOGLE_CLOUD_PROJECT environment variable."
Actual behavior
Flank fails with an error message which doesn't immediately make the issue clear. When migrating from long-lived service tokens to workload identity federation, the solution is not immediately obvious because it worked before and it is difficult to inspect the short-lived token generated on CI.
Details (please complete the following information):
Additional context
The token provided by the doesn't include the Google Cloud Project name, which is a difference from creating a traditional long-lived service key.
There is one other issue, which is what once the GOOGLE_CLOUD_PROJECT environment variable is set, Flank still reports this exception in the log but allows the build to continue successfully. This could probably be suppressed if GOOGLE_CLOUD_PROJECT is set
java.lang.NullPointerException: null cannot be cast to non-null type kotlin.String
Parsing /home/runner/work/secant-android-wallet/secant-android-wallet/gha-creds-e49e0.json failed:
kotlin.Unit
at ftl.args.ArgsHelper.getProjectIdFromJson(ArgsHelper.kt:200)
at ftl.args.ArgsHelper.fromUserProvidedCredentials(ArgsHelper.kt:195)
at ftl.args.ArgsHelper.getUserProjectId(ArgsHelper.kt:188)
at ftl.args.ArgsHelper.getDefaultProjectIdOrNull(ArgsHelper.kt:185)
at ftl.config.common.CommonFlankConfig$Companion.default(CommonFlankConfig.kt:237)
at ftl.config.CreateKt.defaultAndroidConfig(Create.kt:16)
at ftl.domain.RunTestAndroidKt.invoke(RunTestAndroid.kt:47)
at ftl.presentation.cli.firebase.test.android.AndroidRunCommand.run(AndroidRunCommand.kt:58)
at picocli.CommandLine.executeUserObject(CommandLine.java:1939)
at picocli.CommandLine.access$1300(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2352)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2346)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2311)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
at picocli.CommandLine.execute(CommandLine.java:20[78](https://github.com/zcash/secant-android-wallet/runs/5586029293?check_suite_focus=true#step:6:78))
at ftl.Main$main$1.invoke(Main.kt:12)
at ftl.Main$main$1.invoke(Main.kt:10)
at ftl.run.exception.ExceptionHandlerKt.withGlobalExceptionHandling(ExceptionHandler.kt:28)
at ftl.run.exception.ExceptionHandlerKt.withGlobalExceptionHandling(ExceptionHandler.kt:17)
at ftl.Main.main(Main.kt:10)
Describe the bug When using Workload Identity Federation on GitHub Actions, Flank fails because the Google auth token is missing the Google Cloud Project name.
To Reproduce
Expected behavior Flank fails with a nice error message, e.g. "Google Cloud Project could not be read from the Google Cloud auth token. Please set the
GOOGLE_CLOUD_PROJECT
environment variable."Actual behavior Flank fails with an error message which doesn't immediately make the issue clear. When migrating from long-lived service tokens to workload identity federation, the solution is not immediately obvious because it worked before and it is difficult to inspect the short-lived token generated on CI.
Details (please complete the following information):
Additional context The token provided by the doesn't include the Google Cloud Project name, which is a difference from creating a traditional long-lived service key.
There is one other issue, which is what once the
GOOGLE_CLOUD_PROJECT
environment variable is set, Flank still reports this exception in the log but allows the build to continue successfully. This could probably be suppressed ifGOOGLE_CLOUD_PROJECT
is set