-
-
Notifications
You must be signed in to change notification settings - Fork 0
chore(deps)!: Update GitHub Actions (major) #34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: ByronWilliamsCPA/python-libs
Length of output: 8895
🏁 Script executed:
cat .github/workflows/publish-artifact-registry.yml | head -200Repository: ByronWilliamsCPA/python-libs
Length of output: 6976
🏁 Script executed:
Repository: ByronWilliamsCPA/python-libs
Length of output: 8895
🌐 Web query:
google-github-actions/auth credentials_json format documentation💡 Result:
The credentials_json input for the google-github-actions/auth GitHub Action expects the raw content of a Google Cloud Service Account Key JSON file [1][2]. To use this input correctly: 1. Format: The value must be the valid JSON object exported from the Google Cloud Console for a Service Account [2]. 2. Storage: It is strongly recommended to store this JSON as a GitHub Actions Secret [1][2]. 3. Best Practice: The documentation advises minifying the JSON into a single-line string before saving it as a GitHub Secret [1]. This prevents issues where GitHub Actions might aggressively sanitize or mask characters (such as curly braces or brackets) if the secret contains multiple lines [1]. 4. Usage in YAML: Reference the secret in your workflow file as follows [1][2]: - uses: 'google-github-actions/auth@v3' with: credentials_json: '${{ secrets.YOUR_SECRET_NAME }}' Important Security Note: Google and the maintainers of google-github-actions/auth strongly prefer using Workload Identity Federation over Service Account Key JSONs [1][3][4]. Workload Identity Federation eliminates the need for long-lived keys, which are a significant security risk if compromised [3][4]. If you must use credentials_json, ensure the service account has the roles/iam.serviceAccountTokenCreator role on itself [1][2].
Citations:
Fix credentials_json to receive raw JSON, not base64-encoded.
The
credentials_jsonparameter forgoogle-github-actions/authexpects the raw JSON content of a Service Account Key. The secret is base64-encoded (as evidenced by thebase64 -ddecoding on line 192), which will cause authentication to fail at this step.Store the raw JSON key (minified) as a separate secret (e.g.,
GCP_SA_KEY_JSON), or decode the base64 before passing it:credentials_json: ${{ fromJSON(base64ToJson(secrets.GCP_SA_KEY_BASE64)) }}if using base64.🤖 Prompt for AI Agents