Closed ludusrusso closed 1 year ago
Hi there @ludusrusso :wave:!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
Hi @ludusrusso
You should not need this line:
- run: gcloud auth login --cred-file=${{ steps.auth.outputs.credentials_file_path }}
The setup-gcloud action consumes the exported credentials from auth automatically.
What does the npm publish
target actually do?
Hi @sethvargo, I know that that line s not required, it was an attempt to solve it as suggested here: https://github.com/google-github-actions/auth/issues/122#issuecomment-1027226409
npm publish
should deploy on a google cloud artifact npm regsitry I've created, but as you can see the problem is on the line npm run artifactregistry-login
.
Right, but what commands are those npm
running under the hood in the package.json?
here is the package.json file
{
"name": "@rc-dev/rc-flow",
"version": "1.0.0-SNAPSHOT",
"type": "module",
"files": [
"lib"
],
"main": "./lib/rc-flow.umd.js",
"module": "./lib/rc-flow.es.js",
"types": "./lib/main.d.ts",
"scripts": {
"dev": "vite",
"build": "tsc && vite build && tailwindcss -o ./lib/styles.css",
"preview": "vite preview",
"test": "jest",
"artifactregistry-login": "npx google-artifactregistry-auth"
},
"dependencies": {
"@emotion/styled": "^11.10.5",
"@headlessui/react": "^1.7.7",
"@heroicons/react": "^2.0.13",
"cuid": "^2.1.8",
"prettier": "^2.8.3"
},
"devDependencies": {
"@types/jest": "^29.2.5",
"@types/node": "^18.11.18",
"@types/react": "^18.0.26",
"@types/react-dom": "^18.0.9",
"@vitejs/plugin-react": "^3.0.0",
"autoprefixer": "^10.4.13",
"google-artifactregistry-auth": "^3.0.2",
"jest": "^29.3.1",
"postcss": "^8.4.21",
"tailwindcss": "^3.2.4",
"ts-jest": "^29.0.5",
"ts-node": "^10.9.1",
"typescript": "^4.9.4",
"vite": "^4.0.0",
"vite-plugin-dts": "^1.7.1"
},
"peerDependencies": {
"react": ">=18.2.0",
"react-dom": ">=18.2.0",
"reactflow": ">=11.4.2",
"zustand": ">=4.3.2"
}
}
Anyway it works with credential passed as json keys to the action. The problem seems to be in the workload identity.
This is the actions that works
name: Node.js Package
on:
push:
branches: [ main ]
jobs:
publish-npm:
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v1
with:
# workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
# service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
project_id: ${{ secrets.GCP_PROJECT_ID }}
credentials_json: ${{ secrets.GCP_ARTIFACTORY_SERVICE_ACCOUNT}}
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v1'
- uses: actions/setup-node@v2
with:
node-version: "16"
- run: npm install
- run: npm run build
- run: sed -i "s/1.0.0-SNAPSHOT/0.0.0-build-${GITHUB_RUN_NUMBER}/g" package.json
- run: npm run artifactregistry-login
- run: npm publish
What does npx google-artifactregistry-auth
do?
It should perform login with google npm artifact registry in order to do npm publish
on a private registry https://cloud.google.com/artifact-registry/docs/nodejs/authentication?hl=it
It sounds like https://www.npmjs.com/package/google-artifactregistry-auth does not support Workload Identity Federation. I would suggest opening an issue against that repository to support WIF.
TL;DR
Not sure what I'm missing but I've a similar issue of #122, setup authentication with workload identity federation but getting the following error with google-artifactregistry-auth
Anyone can help?
Expected behavior
No response
Observed behavior
No response
Action YAML
Log output
Additional information
No response