search

unicode-org / icu4x

Solving i18n for client-side and resource-constrained environments.
https://icu4x.unicode.org
Other
1.34k stars 174 forks source link

Add webhook to make Workload Identity Providers work on forks #4208

Open sffc opened 11 months ago

sffc commented 11 months ago

We've been using Workload Identity Federation to access GCP resources from the main repository; it has been working smoothly, and this is the recommended approach by Google for GitHub Actions to access these resources.

However, we don't currently use Workload Identity Federation for actions in forked repositories. We currently have a JSON key shared with core contributors, and those core contributors need to add it manually as a secret in their fork. The advantage of this approach is that it is self-service, but it has a steeper barrier to entry than desired. Also, JSON keys are discouraged since they're subject to credential leakage.

A key difference with Workload Identity Federation is that there is an allowlist of repositories whose GitHub Actions are allowed to access the resources. This allowlist lives inside GCP in the form of Attribute Conditions on a Workload Identity Pool Provider.

Therefore, a clean solution to this credentials problem would be to create a GitHub Webhook that triggers when users are added or removed from the unicode-org/icu4x-triage team. The webhook would call the API to add or remove that user from the Workload Identity Federation allowlist. The webhook can be hosted as a Cloud Function similar to the GitHub-Jira bot.

Helpful docs links:

robertbastian commented 11 months ago

unicode-org/icu4x-triage doesn't change much, it's probably less work to manually update the list.

sffc commented 11 months ago

It's less about the work and more about not being blocked on a specific administrator who knows how to do it.

robertbastian commented 11 months ago

As a first step, can we use identity federation with allowlisted repos?

sffc commented 11 months ago

Yes, this can be done in a few steps:

  1. Manually add all contributors to an allowlist in GCP and switch to Workload Identity Federation for the docs build jobs
  2. Write a script that invokes the GCP APIs to update the allowlist that can be run by anyone with sufficient permissions
  3. Configure a cloud function to run the script in response to the GitHub webhook
sffc commented 3 months ago

It looks like we can use pull_request_target to grant access to the job from PRs. One tip is that we could use PR labels to conditionally run the job. For inspiration, see:

https://github.com/GoogleCloudPlatform/alloydb-java-connector/blob/main/.github/workflows/ci.yaml