search

googleapis / google-cloud-cpp

C++ Client Libraries for Google Cloud Services
https://cloud.google.com/
Apache License 2.0
543 stars 366 forks source link

Use Workload Identity Federation for GHA build cache #12898

Open coryan opened 11 months ago

coryan commented 11 months ago

The build cache for GitHub Actions uses a service account key. These expire after 90d and need to be manually rotated. We could use (WIF) Workload Identity Federation to configure the cache.

We already have a workflow using WIF:

https://github.com/googleapis/google-cloud-cpp/blob/17c04558715c9c5492be40cd00cd13ca7677761d/.github/workflows/external-account-integration.yml#L64-L71

And apparently both sccache and Bazel support WIF:

https://github.com/mozilla/sccache/blob/main/docs/Gcs.md#external-accounts https://www.omerlh.info/2022/05/16/how-to-fast-and-secure-builds-with-bazel-remote-cache/

It seems like it is "simply" a matter of gluing all the pieces together.

alevenberg commented 10 months ago

Subscribing for updates. I will try and get to this week if I have time. Or next operator shift.

scotthart commented 5 months ago

This would remove the key update maintenance we currently perform. We want to do it. We need to test to see if WIF works with sccache and bazel for this to move forward.