Open sffc opened 11 months ago
unicode-org/icu4x-triage
doesn't change much, it's probably less work to manually update the list.
It's less about the work and more about not being blocked on a specific administrator who knows how to do it.
As a first step, can we use identity federation with allowlisted repos?
Yes, this can be done in a few steps:
It looks like we can use pull_request_target
to grant access to the job from PRs. One tip is that we could use PR labels to conditionally run the job. For inspiration, see:
https://github.com/GoogleCloudPlatform/alloydb-java-connector/blob/main/.github/workflows/ci.yaml
We've been using Workload Identity Federation to access GCP resources from the main repository; it has been working smoothly, and this is the recommended approach by Google for GitHub Actions to access these resources.
However, we don't currently use Workload Identity Federation for actions in forked repositories. We currently have a JSON key shared with core contributors, and those core contributors need to add it manually as a secret in their fork. The advantage of this approach is that it is self-service, but it has a steeper barrier to entry than desired. Also, JSON keys are discouraged since they're subject to credential leakage.
A key difference with Workload Identity Federation is that there is an allowlist of repositories whose GitHub Actions are allowed to access the resources. This allowlist lives inside GCP in the form of Attribute Conditions on a Workload Identity Pool Provider.
Therefore, a clean solution to this credentials problem would be to create a GitHub Webhook that triggers when users are added or removed from the
unicode-org/icu4x-triage
team. The webhook would call the API to add or remove that user from the Workload Identity Federation allowlist. The webhook can be hosted as a Cloud Function similar to the GitHub-Jira bot.Helpful docs links: